Threat Research

Ongoing smishing against Autostrade per l’Italia

Italy-Cert-agid
Ongoing smishing against Autostrade per l’Italia

CERT-AGID reported a smishing campaign using fake SMS that impersonate Autostrade per l’Italia to trick victims into entering vehicle, phone and payment details on a fraudulent site. The malicious pages are hosted on a typosquatted domain “autostiade[.]com” and CERT-AGID contacted the registrar abuse and shared IoCs with accredited organizations. #AutostradePerLItalia #autostiade.com

Keypoints

  • CERT-AGID identified a smishing campaign delivering fake SMS that claim an unpaid toll to lure victims.
  • SMS contain a link to a fraudulent website mimicking Autostrade per l’Italia with official logo and branding.
  • The malicious site requests personal data (license plate and mobile number) and payment card information.
  • Attackers used typosquatting: the malicious domain is autostiade[.]com, similar to the legitimate autostrade.it.
  • CERT-AGID contacted the registrar abuse to request domain takedown and shared IoCs with accredited entities.
  • Advised precautions: verify exact URL, distrust unexpected requests for personal or banking data via SMS/email, and avoid interacting with suspicious messages.
  • Users are instructed to forward suspicious messages to [email protected] for analysis and follow-up.

MITRE Techniques

  • [T1593] Spearphishing via Service – Attackers sent fraudulent SMS posing as an organization to trick recipients into visiting a malicious site (“…finti SMS che sfruttano il nome di Autostrade per l’Italia…”).
  • [T1583] Acquire Infrastructure – Use of a typosquatted domain “autostiade[.]com” created to host phishing pages resembling the legitimate site (“…le pagine malevole sono infatti ospitate su “autostiade[.]com”…”).
  • [T1204] User Execution – Social engineering through alarming toll-notification messages that prompt users to click a link and submit credentials and payment details (“…presunto “pedaggio non saldato” e presentano un link…richiede all’utente l’inserimento di dati personali… e della carta di pagamento”).

Indicators of Compromise

  • [Domain] phishing infrastructure – autostiade[.]com (typosquatted domain impersonating autostrade.it).
  • [Email] reporting contact – [email protected] (address provided for reporting suspicious messages).
  • [Message Content] phishing lure – SMS referencing “pedaggio non saldato” with link to fraudulent site (example: SMS with link to autostiade[.]com).

Read more: https://cert-agid.gov.it/news/in-corso-uno-smishing-ai-danni-di-autostrade-per-litalia/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint