Examples of phishing: the latest campaigns mentioned by the CSIRT
Estimated reading time: 8 minutes
Successful phishing attacks are increasing rapidly and so is the variety of forms they come in. Today I want to bring a couple of examples of phishing reported in the last period on the Italian territory by the CSIRT ( Computer Security Incident Response Team ).
Millions of users around the world are put at risk every day, statistically, one every 30 seconds. Cybercriminals are evolving and so are their techniques.
But it’s not just the traditional phishing scam that is catching on, but spear phishing and CEO fraud now also offer a much more damaging reach to the enterprise. For businesses, a successful attack could mean millions of dollars in damage.
Since it is known that users, even corporate users, tend to be lazy and do not manage their passwords effectively, even a phishing campaign aimed at individuals could provide useful credentials to later target corporate accounts. For this reason, one of the most effective defenses is the training of users, who, knowing the danger, can avoid it altogether.
Why does phishing work?
Before giving concrete examples of phishing that took place in Italy, it is interesting to understand why it is a technique that works so well. According to a white paper from Ostermann Research in 2017, phishing is the main concern of security teams.
There are 5 main reasons, identified by Ostermann Research, why phishing is still a real danger.
1. Lack of awareness
Undoubtedly, the predominant reason is the lack of “ security awareness “. More specifically, the lack of training on issues such as phishing and ransomware are the main reasons for the success of these attacks.
2. Need for more information
The use and notoriety of the Dark Web have lowered the commercial value of stolen data. The price of a credit card record dropped from $ 25 in 2011 to $ 6 in 2016 , which means that cybercriminals have had to adapt their attention to new ways to earn the amount of money they did in the past.
3. Lack of adequate protection
Companies are not doing enough to reduce the risks associated with phishing. There is a lack of proper backup processes, as well as an inability to identify weaker users who need further training.
In addition, there is a lack of strong control processes, such as double confirmation for every bank transfer request. Neglecting these protocols means putting yourself directly in the hands of some of the most common fraudulent techniques.
4. Ease of finding tools
The availability of phishing kits and the rise of ransomware-as-a-service (RaaS) gave would-be hackers an easy opportunity to enter the market and compete with sophisticated criminal organizations.
The most troubling part of this growing trend is that even people with little or no computer experience are reaping the benefits of these easy-to-obtain tools.
5. Attacks leverage people’s weak points
As we have seen with social engineering , leveraging some factors can lower people’s guards . Alternatively, you aim for a sense of urgency to ensure that the necessary checks are not carried out before taking action. At other times it is guilt or shame that are used as a weapon to request money directly, as in the case of ransomware .
Among the examples of phishing that we will see shortly, I believe that the main factors for which they succeed are ignorance of IT (security) and feelings of guilt or urgency transmitted in the messages used in attacks.
Examples of 2021 phishing on Italian territory
“Eni gas and electricity reimbursement”
This campaign, reported in March 2021 , uses as a pretext a fake reimbursement from ENI Gas e Luce in order to steal personal data and banking information from the victims. The promise of a refund and seemingly legitimate web pages are key elements of the attack.
The following personal data are requested: name, surname, date of birth, social security number and telephone number. In addition, the following are also required: credit card type, number, expiration date and security code.
The victim reaches the phishing page by following a link to
After entering the credentials in the form, two screens appear. A summary and a confirmation. Note that the SMS / OTP confirmation method is mentioned in the summary screen but is not required of the victim. Finally, you are directed to the real ENI website.
To defend yourself, always pay attention to the URLs of the pages you visit. These often contain elements of obvious wrongdoing. For example the
ru extension of the pages.
Bank Account Phishing Example (N26)
At the end of March 2021, a campaign affecting the customers of the N26 online bank was reported. Through SMS and email, users are asked for personal data, personal information (telephone number and social security number ) and the OTP code and the unique access token of the credit card.
Through a landing page very similar to that of N26, you are asked to log in to the service. The user enters the login credentials, the card code and then personal information is also requested. The excuse is to check the user’s data.
After entering the data, the victim is informed that the entered OTP code is incorrect and a new one is requested. This happens 3 times, until a server error page is shown.
The data has now been entered and sent to the attacker, who can access the victim’s account thanks to the information collected.
The phishing examples listed in this article are just two of all those regularly reported on the CSIRT site. Scams are often completely avoidable, if only you knew the basics of detecting a fraudulent web page.
Always valid advice: before following a link received, go to email, it is better to visit the site from your browser, without using the URLs provided in the message. Email communications are often notifications that must also be reflected on the account page on the site.
Those who fall victim to a phishing attack are likely not able to recognize threats in general. This can become a risk for the whole company.
The best defense is to invest in your employees. This can be done through ethical phishing campaigns followed by targeted training consolidate the problems found. At SOD, we can help your company recognize weaknesses and then provide employees with the information they need to raise the bar.
Contact us to find out how we can specifically help your company to raise the defenses against phishing and make the infrastructure more secure.
- Hadoop Open Data Model: “open” data collection
- Pass the Ticket: how to mitigate it with a SOCaaS
- Use cases of a SOCaaS for companies part 2
- Use cases of a SOCaaS for companies part 1
- NIST Cybersecurity Framework
- “Left of boom” and “right of boom”: having a winning strategy
- Smishing: a fraud similar to phishing
- Network Traffic Analyzer: an extra gear for the Next Gen SIEM
- Backup as a Service (2)
- Cloud Conference (3)
- Cloud CRM (1)
- Cloud Server/VPS (20)
- Conferenza Cloud (4)
- ICT Monitoring (4)
- Log Management (2)
- News (18)
- ownCloud (4)
- Privacy (7)
- Secure Online Desktop (14)
- Security (14)
- Web Hosting (15)
- Pulling Back the Curtain on Bug Bounties October 26, 2021It's critical that infosec professionals and consumers understand threats and vulnerabilities, but they are being kept in the dark.
- Wardrivers Can Still Easily Crack 70% of Wi-Fi Passwords October 26, 2021Weaknesses in the current Wi-Fi standard and poorly chosen passwords allowed one wardriver to recover 70% of wireless network passwords.
- OpenText Strengthens Ransomware Resilience October 26, 2021New detection and alert functions within Carbonite Server increase data protection against ransomware.
- Forcepoint Completes Acquisition of Bitglass October 26, 2021The acquisition of Bitglass will be the third technology acquisition for Forcepoint this year.
- Jumio Launches End-to-end Orchestration for its KYX Platform October 26, 2021Platform combines digital identity proofing, compliance verification and anti-money laundering checks.
- SolarWinds Attacker Targets Cloud Service Providers in New Supply Chain Threat October 25, 2021Microsoft says the group has attacked more than 140 service providers and compromised 14 of them between May and October of this year.
- Industrial Goods & Services Tops Ransomware Targets in 2021 October 25, 2021While the industrial goods and services sector saw a decline in attacks during the third quarter, it remains the most targeted sector for ransomware this year.
- Who's In Your Wallet? Exploring Mobile Wallet Security October 25, 2021Security flaws in contactless payments for transportation systems could lead to fraud for stolen devices, researchers find.
- 5 Ways CMMC Security Requirements May Impact Universities October 25, 2021The Cybersecurity Maturity Model Certification puts research universities in a position where they must validate the effectiveness of their security controls before applying for a grant or bidding on a government contract.
- How We Can Narrow the Talent Shortage in Cybersecurity October 25, 2021Filling crucial roles in cybersecurity and addressing the talent shortage requires rethinking who qualifies as a "cybersecurity professional" and rewriting traditional job descriptions.
- [ES2021-09] FreeSWITCH susceptible to Denial of Service via invalid SRTP packets October 26, 2021Posted by Sandro Gauci on Oct 26# FreeSWITCH susceptible to Denial of Service via invalid SRTP packets - Fixed versions: v1.10.7 - Enable Security Advisory: https://github.com/EnableSecurity/advisories/tree/master/ES2021-09-freeswitch-srtp-dos - Vendor Security Advisory: https://github.com/signalwire/freeswitch/security/advisories/GHSA-jh42-prph-gp36 - Other references: CVE-2021-41105 - Tested vulnerable versions:
- [ES2021-06] FreeSWITCH susceptible to Denial of Service via SIP flooding October 26, 2021Posted by Sandro Gauci on Oct 26# FreeSWITCH susceptible to Denial of Service via SIP flooding - Fixed versions: v1.10.7 - Enable Security Advisory: https://github.com/EnableSecurity/advisories/tree/master/ES2021-06-freeswitch-flood-dos - Vendor Security Advisory: https://github.com/signalwire/freeswitch/security/advisories/GHSA-jvpq-23v4-gp3m - Other references: CVE-2021-41145 - Tested vulnerable versions:
- [ES2021-08] FreeSWITCH does not authenticate SIP SUBSCRIBE requests by default October 26, 2021Posted by Sandro Gauci on Oct 26# FreeSWITCH does not authenticate SIP SUBSCRIBE requests by default - Fixed versions: v1.10.7 - Enable Security Advisory: https://github.com/EnableSecurity/advisories/tree/master/ES2021-08-freeswitch-SIP-SUBSCRIBE-without-auth - Vendor Security Advisory: https://github.com/signalwire/freeswitch/security/advisories/GHSA-g7xg-7c54-rmpj - Other references: CVE-2021-41157 - Tested vulnerable versions:
- [ES2021-05] FreeSWITCH vulnerable to SIP digest leak for configured gateways October 26, 2021Posted by Sandro Gauci on Oct 26# FreeSWITCH vulnerable to SIP digest leak for configured gateways - Fixed versions: v1.10.7 - Enable Security Advisory: https://github.com/EnableSecurity/advisories/tree/master/ES2021-05-freeswitch-vulnerable-to-SIP-digest-leak - Vendor Security Advisory: https://github.com/signalwire/freeswitch/security/advisories/GHSA-3v3f-99mv-qvj4 - Other references: CVE-2021-41158 - Tested vulnerable versions:
- VDPBW Bundeswehr - 1 Year Vulnerability Disclosure Policy of the Bundeswehr October 26, 2021Posted by info () vulnerability-lab com on Oct 26Title: 1 Year Vulnerability Disclosure Policy of the Bundeswehr - The Balance Sheet of the CISOBwChief Information Security Officer Reference: https://www.bundeswehr.de/de/organisation/cyber-und-informationsraum/aktuelles/1-jahr-vdpbw-cisobw-bilanz-5232904 Title: VDPBwVulnerability Disclosure Policy der Bundeswehr - COIN Reference: https://www.bundeswehr.de/de/security-policy/vdpbw-coin Title: Im Dienst der IT-Sicherheit (Interview 1st...
- PHP Melody v3.0 - Multiple Cross Site Web Vulnerabilities October 26, 2021Posted by info () vulnerability-lab com on Oct 26Document Title: =============== PHP Melody v3.0 - Multiple Cross Site Web Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2290 Bulletin: https://www.phpsugar.com/blog/2021/09/php-melody-3-0-vulnerability-report-fix/ Release Date: ============= 2021-10-20 Vulnerability Laboratory ID (VL-ID): ==================================== 2290 Common Vulnerability Scoring System:...
- Simplephpscripts Simple CMS v2.1 - Remote SQL Injection Vulnerability October 26, 2021Posted by info () vulnerability-lab com on Oct 26Document Title: =============== Simplephpscripts Simple CMS v2.1 - Remote SQL Injection Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2303 Release Date: ============= 2021-10-19 Vulnerability Laboratory ID (VL-ID): ==================================== 2303 Common Vulnerability Scoring System: ==================================== 7.1 Vulnerability Class: ==================== SQL...
- Simplephpscripts Simple CMS v2.1 - Persistent Vulnerability October 26, 2021Posted by info () vulnerability-lab com on Oct 26Document Title: =============== Simplephpscripts Simple CMS v2.1 - Persistent Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2302 Release Date: ============= 2021-10-19 Vulnerability Laboratory ID (VL-ID): ==================================== 2302 Common Vulnerability Scoring System: ==================================== 5.3 Vulnerability Class: ==================== Cross Site...
- SPA Cart CMS - Multiple SQL Injection Web Vulnerabilities October 26, 2021Posted by info () vulnerability-lab com on Oct 26Document Title: =============== SPA Cart CMS - Multiple SQL Injection Web Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2304 Release Date: ============= 2021-10-18 Vulnerability Laboratory ID (VL-ID): ==================================== 2304 Common Vulnerability Scoring System: ==================================== 7.3 Vulnerability Class: ==================== Script Code...
- Simplephpscripts Simple CMS v2.1 - XSS Web Vulnerability October 26, 2021Posted by info () vulnerability-lab com on Oct 26Document Title: =============== Simplephpscripts Simple CMS v2.1 - XSS Web Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2301 Release Date: ============= 2021-10-18 Vulnerability Laboratory ID (VL-ID): ==================================== 2301 Common Vulnerability Scoring System: ==================================== 5.1 Vulnerability Class: ==================== Cross Site...
Tempo di lettura: 5 minUtilizzo del Machine Learning per proteggere i dati Introdotto nel gennaio 2017, Acronis Act… https://t.co/mhqalBxm8D
Gli attacchi informatici sono numerosi e non fanno distinzione tra aziende e singoli individui quando prendono di m… https://t.co/uOucUWZf7W
Estimated reading time: 5 minutes SNYPR è uno strumento di analisi della sicurezza in grado di trasformare i Big… https://t.co/oies7e0nYY
Estimated reading time: 5 minutes Con l’avvento delle piattaforme di big data, le aziende che si occupano di sicu… https://t.co/MSvA0dPgiE
Estimated reading time: 5 minutes With the advent of big data platforms, IT security companies can now make guid… https://t.co/aTv41eq2Ir