Threat Research

Ongoing phishing campaign uses government branding to steal banking data

Italy-Cert-agid
Ongoing phishing campaign uses government branding to steal banking data

CERT-AGID has detected a phishing campaign that abuses the name and insignia of the Italian Government and the Presidency of the Council of Ministers to steal banking login credentials. Emails titled “Verification of Banking Data – Italian Government” redirect victims to pages that mimic institutional graphics and then to fake bank login portals to capture customer IDs and PINs. #CERTAGID #PresidencyOfTheCouncil

Keypoints

  • CERT-AGID identified a phishing campaign impersonating the Italian Government and the Presidency of the Council of Ministers to harvest banking credentials.
  • Phishing emails use the subject line “Verification of Banking Data – Italian Government” and lure users to click a malicious link.
  • The malicious link opens a webpage reproducing official Presidency graphics and offers a dropdown menu to select the victim’s bank.
  • After selecting a bank (examples include Intesa Sanpaolo, UniCredit, Monte dei Paschi di Siena, BNL, ING, BPER, BCC, Fineco, Crédit Agricole, PostePay), victims are redirected to counterfeit login portals to capture customer codes and PINs/passwords.
  • CERT-AGID requested removal of the malicious domain from the registrar and has distributed associated IoCs to accredited entities.
  • Detailed IoCs are referenced as available via a provided “Download IoC” link for further investigation and blocking.

MITRE Techniques

  • [T1566.002 ] Spearphishing Link – Attackers sent emails containing a link that redirects recipients to a phishing site to harvest credentials. [‘…the message … invites the user to click on a link present in the body of the message…’]
  • [T1036 ] Masquerading – The phishing pages replicate official government graphics and logos to appear legitimate and deceive victims. [‘…the link redirects to a web page that faithfully reproduces the institutional graphics of the Presidency of the Council of Ministers…’]

Indicators of Compromise

  • [Domain ] Malicious domain used to host phishing landing pages – specific domain not disclosed in article (CERT-AGID requested registrar removal).
  • [Email Subject ] Phishing lure used in campaign – “Verification of Banking Data – Italian Government”.
  • [URLs ] Phishing/redirect URLs pointing to fake Presidency page and bank login portals – exact URLs not listed in article; referenced as available in the downloadable IoC package.

Read more: https://cert-agid.gov.it/news/in-atto-una-campagna-di-phishing-che-sfrutta-le-insegne-del-governo-per-sottrarre-dati-bancari/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint