Ongoing phishing campaign themed “Health Card Replacement”

Ongoing phishing campaign themed “Health Card Replacement”
CERT-AGID identified multiple active phishing campaigns on different domains that impersonate the Italian Ministry of Health to steal citizens’ personal and payment data. The scams use a fake 2026 health card replacement notice and a staged payment funnel to collect identity and credit card details. #CERT-AGID #MinisteroDellaSalute #AgenziaDelleEntrate #PosteItaliane

Keypoints

  • The campaigns impersonate the Italian Ministry of Health and target Italian citizens with fraudulent notices about mandatory health card replacement.
  • The lure claims that cards issued before January 2023 must be replaced due to a new electronic health identification system.
  • The phishing sites closely mimic official portals, using ministry logos, colors, FAQ sections, and fake protocol numbers to appear legitimate.
  • Victims are guided through a multi-step data collection funnel requesting personal data such as name, tax code, ID document details, and phone number.
  • The final stage asks for full credit card information, including card number, expiry date, and CVV, under claims of secure SSL-protected payment.
  • The article states that legitimate health card renewal is automatic and free for eligible citizens, and never done through email or SMS links.
  • CERT-AGID requested takedown of the malicious domains and shared the indicators of compromise with accredited entities.

MITRE Techniques

  • [T1566.002 ] Spearphishing Link – Users are lured to fraudulent sites through deceptive messages and links tied to a fake health card notice [‘the procedures never happen through links sent via email or SMS’]
  • [T1036 ] Masquerading – The sites imitate official Ministry of Health portals using logos, colors, FAQ sections, and fake protocol references [‘they faithfully imitate the graphic appearance of institutional portals’]
  • [T1660 ] HTML Smuggling – The campaign uses staged web pages and forms to deliver the fraud workflow in-browser [‘the user is guided through a multi-step funnel’]
  • [T1056.001 ] Input Capture: Keylogging – The phishing forms collect sensitive identity and payment inputs entered by the victim [‘requesting full credit card data’]
  • [T1528 ] Steal Application Access Token – The fraudulent flow seeks to capture payment credentials and personal identifiers for unauthorized use [‘number card, expiry date, CVV’]
  • [T1491.001 ] Defacement: Internal Defacement – The malicious pages imitate public institutional branding to present a false official look [‘logo and colors of the Ministry of Health’]

Indicators of Compromise

  • [Domains] Multiple malicious domains hosting the phishing pages – several distinct domains, and other related domains
  • [Web URLs] Phishing landing pages and payment forms – fake health card notice page, payment page, and other funnel pages
  • [File names] IoC package referenced by CERT-AGID – Download IoC, and other shared IoC materials


Read more: https://cert-agid.gov.it/news/campagne-di-phishing-a-tema-sostituzione-tessera-sanitaria-in-corso/