Threat Research

Increase in phishing campaigns themed around PagoPA: CERT-AGID identifies 45 from March to today

Italy-Cert-agid
Increase in phishing campaigns themed around PagoPA: CERT-AGID identifies 45 from March to today
EXTRACT IOC
CERT-AGID has observed a significant rise in phishing campaigns exploiting the PagoPA theme to target Italian users, primarily via deceptive emails requesting fraudulent payments for alleged traffic fines. These campaigns use conditional redirection techniques to display fraudulent content only to mobile users and sometimes filter victims by IP address, increasing the sophistication of the attacks. #CERTAGID #PagoPA #PhishingCampaigns

Keypoints

  • CERT-AGID recorded 45 phishing campaigns themed around PagoPA between March and May 2025, generating 520 indicators of compromise shared with public administrations and PagoPA security teams.
  • The phishing emails mimic official payment requests for supposed traffic violations to deceive users into making unauthorized payments.
  • Attackers use conditional redirection so that fraudulent pages are shown only to users on mobile devices, while desktop users are redirected to the genuine PagoPA website.
  • Some campaigns incorporate IP-based filtering to hide fraudulent pages from certain users or entities, complicating automatic detection.
  • Victims are asked to enter personal information first, then credit card details under the guise of settling fines, allowing attackers to steal sensitive data.
  • PagoPA’s widespread use and trusted reputation in Italy make it an effective lure for cybercriminals exploiting urgency and established habits around digital service notifications.
  • The stolen data includes personal identifiers and financial details that can facilitate economic fraud and identity theft.

MITRE Techniques

  • [T1566] Phishing – Used deceptive emails referencing supposed PagoPA traffic fines to trick users into submitting sensitive information (“falsi solleciti di pagamento relativi a presunte sanzioni stradali”).
  • [T1059] Command and Scripting Interpreter – Utilized conditional redirection scripts to show fraudulent content only on mobile devices and redirect desktop users to legitimate pages (“il contenuto fraudolento viene mostrato solo se l’utente accede da un dispositivo mobile”).
  • [T1189] Drive-by Compromise – Visitor IP addresses checked to selectively deliver malicious pages, hiding fraud from certain targets (“un secondo controllo basato sull’indirizzo IP dell’utente”).
  • [T1530] Data from Information Repositories – Attackers collected personal data and credit card details via multi-step web forms (“viene richiesto l’inserimento di dati personali … viene sollecitata la compilazione dei campi relativi alla carta di credito”).

Indicators of Compromise

  • [Phishing Email Subjects] Fraudulent payment requests for traffic fines – examples not listed explicitly but referenced as part of 45 campaigns.
  • [URLs] Malicious redirect links targeting mobile users – 520 IoCs collected by CERT-AGID and shared with authorities.
  • [IP Addresses] Used in filtering mechanisms to hide fraud from some users – specific IPs not provided in the article.

Read more: https://cert-agid.gov.it/news/aumentano-le-campagne-di-phishing-a-tema-pagopa-il-cert-agid-ne-individua-ben-45-da-marzo-a-oggi/

Views: 26

Tags: EMAIL, EXPLOIT, FINANCIAL, MOBILE, PHISHING, SMS