CERT-AGID identified active phishing campaigns abusing the name, logo, and branding of Agenzia delle Entrate to steal financial and asset-related information from users. One campaign combines adaptive phishing and vishing, steering victims through a fake tax portal and then urging them to call an “Ufficio Verifiche di Milano” number to complete the fraud. #AgenziadelleEntrate #CERT-AGID #vishing
Keypoints
- The campaigns fraudulently use Agenzia delle Entrate’s name, logo, and visual identity.
- The main lure is a supposed mandatory declaration of crypto-assets, often accompanied by urgent deadlines.
- One active campaign uses an adaptive phishing flow that changes based on the victim’s responses.
- The fake site first requests the victim’s tax code and mobile phone number through a login-like form.
- The page then branches to collect either crypto-related details or banking information such as the bank name and account balance.
- After submission, a fake synchronization error pressures the victim to call a phone number, turning the attack into vishing.
- CERT-AGID requested takedown of the malicious domains, informed Agenzia delle Entrate, and shared IOCs with accredited entities.
MITRE Techniques
- [T1566.002 ] Phishing: Spearphishing Link – Victims are led to a fake institutional site that imitates Agenzia delle Entrate and collects data through an online form (‘La campagna odierna conduce la vittima su un sito che imita il portale istituzionale dell’Agenzia delle Entrate’).
- [T1598 ] Phishing for Information – The malicious form asks for tax code, mobile number, wallet/exchange details, bank name, and account balance to harvest sensitive financial data (‘vengono richiesti il wallet/exchange utilizzato…’; ‘vengono richiesti il nome dell’istituto bancario… e l’ultimo saldo del conto corrente’).
- [T1204.001 ] User Execution: Malicious Link – The victim must interact with the deceptive website and follow the form flow to continue the attack (‘La campagna odierna conduce la vittima su un sito…’).
- [T1656 ] Implied Phishing via Communication Channel – The attack escalates from web phishing to voice-based fraud by prompting the victim to call a fake office number (‘invita la vittima a chiamare un numero presentato come “Ufficio Verifiche di Milano”’).
- [T1071 ] Application Layer Protocol – The campaign uses web-based interaction and a simulated synchronization error page as part of the attack flow (‘Dopo l’invio, la vittima visualizza una schermata che simula un errore di sincronizzazione’).
Indicators of Compromise
- [Domains ] Malicious sites impersonating Agenzia delle Entrate – malicious domains (unspecified), and other domains reported in the shared IoC set
- [Phone Numbers ] Voice-phishing callback point used to complete the scam – the “Ufficio Verifiche di Milano” number, and other phone numbers if present in the IoC feed
- [URLs ] Fake tax portal and follow-on error page used in the campaign – the phishing site URL, and the “Download IoC” link if published as part of the report