Threat Research

Fake Interior Ministry portal uncovered: phishing targeting residence permits

Italy-Cert-agid
Fake Interior Ministry portal uncovered: phishing targeting residence permits

The Italian CERT-AGID identified a recently registered malicious domain hosting a fake Ministry of the Interior portal (with references to the Polizia di Stato) that purports to let users check the status of immigration-related applications. The fraudulent site asks visitors to enter personal and document details to harvest identities for subsequent targeted fraud, and CERT-AGID alerted the Ministry, requested domain takedown, and distributed IoCs. #CERT-AGID #MinistryOfInterior #PoliziaDiStato

Keypoints

  • CERT-AGID discovered a recently registered malicious domain impersonating the Italian Ministry of the Interior and referencing the Polizia di Stato.
  • The fake portal presented itself as a service to check the status or validity of immigration-related administrative procedures (residence permit, flow decree, family reunification, irregular work).
  • Clicking “Check Application Status” redirects victims to a page that requests identifying data and case details (name, date of birth, nationality, document/passport number, protocol number).
  • The campaign’s likely objective is identity theft of foreign nationals awaiting permits, visas, or authorizations, to enable subsequent targeted fraud.
  • CERT-AGID informed the Ministry’s security team, requested domain removal, and circulated the indicators of compromise to accredited organizations.
  • An IoC download link was provided by CERT-AGID for further investigation and mitigation by trusted parties.

MITRE Techniques

  • [T1583.002 ] Domain – Use of a recently registered malicious domain to host a fraudulent government portal (‘a malicious domain, recently registered, used to host a fake Ministry of the Interior portal’).
  • [T1566.002 ] Phishing: Link (web-based credential harvesting) – Deployment of a deceptive web page that redirects users to a form requesting personal and document details to be entered (‘Clicking on “Check Application Status” the victim is redirected to a page that requests the insertion of identifying data and case details’).

Indicators of Compromise

  • [Domain ] Malicious domain used to host a fake Ministry of the Interior portal – domain name not disclosed in the article (recently registered malicious domain).
  • [URL / IoC feed ] Download link for indicators provided by CERT-AGID – referenced as “Download the IoCs” (IoC download link included but specific URL not published in the article).

Read more: https://cert-agid.gov.it/news/scoperto-falso-portale-del-ministero-dellinterno/