SPID PosteID under attack, credentials at risk: beware of SMS

A new phishing attempt against Poste Italiane users: this time hackers aim to exploit the wave of accesses through SPID resulting from the bike bonus.

A phishing campaign aimed at stealing access credentials to the SPID of Poste Italiane is underway: the cybersecurity company D3Lab has discovered it, and has communicated it to the Computer Emergency Response Team of the Agenzia per l'Italia Digitale (CERT-AGID). Most likely, this campaign has been set up also to exploit the wave of accesses through SPID to the Web platform for the Mobility Bonus.

The scam attempt is quite classic, but only because usually phishing campaigns so architected work well. The scam would then appear to be targeted at users accessing from mobile and according to CERT will be conveyed primarily via scam SMS. The hackers started working on this phishing campaign more than a month ago, registering a domain that simulates the login page of Poste Italiane, which can also be accessed via SPID PosteID. Such page is reproduced quite faithfully and the only way to understand that it is fake is to look at the URL address.

Spid PosteID scam: how it works

On October 6, 2020, i.e. a month before the click day for the bike bonus, the domain www.aggiornamento-spid[.]com was registered, with masked owner, hosted on servers in Germany. This site reproduces in a very credible way the access page to the accounts of Poste Italiane: on the left there are fields to enter username and password (both private and corporate accounts) and the button to register if you do not already have an account. On the right, instead, we find "Log in with SPID-enabled PosteID", with the logo of PosteID, and a button to request PosteID.

Below we find several information copied from the Poste Italiane website, such as toll-free numbers for customer support, and three buttons to ask for help: Call us, Write us, Come to Poste. All the buttons are actually fake, because all they do is reload the same page. The goal of the site, in fact, is to steal the credentials to access Poste Italiane accounts.

PosteID SPID scam: beware of the SMS

The fake site is still online despite the report by CERT-AGID. Visiting it from desktop, the main browsers (Chrome, Edge, Firefox) show the user a very clear warning on red background: this site has been reported as fake and dangerous.

Visiting it from mobile, however, at the moment no warning is shown and the site is normally accessible. This means that users from smartphones and tablets should be particularly careful, because the only way to realize that you are visiting a dangerous site is to read the address of the web page.

The most likely thing, according to CERT, is that cyber criminals are organizing a large-scale phishing campaign based on sending SMS messages inviting users to visit the fake site in order to solve some phantom account security problem.