Mobility bonus: phishing against the SPID of Poste Italiane

From 4 November 2020 to 3 January 2021 it is possible to request the bike bonus (mobility bonus) for a maximum value of 500 €. The initiative was proposed by the Government to encourage the purchase of ecological means of transport such as bicycles and scooters, especially given the correlation between pollution and coronavirus . On November 5, CERT discovered a phishing attack against the SPID of Poste Italiane for the request for the mobility bonus.

To request the mobility bonus, you need to access the specially developed application and register or log in with your SPID credentials. The SPID is the Public Digital Identity System for accessing the sites of the Public Administration and private members using a single password from any device. SPID is able to guarantee your privacy and authenticate you , i.e. affirm your true digital identity.

phishing Poste Italiane SPID
SPID Poste Italiane authorization simulation. Credits: Poste Italiane

SPID Phishing for Poste Italiane

In Italy there are several entities that offer the SPID, including Tim, IBM group, Aruba … Among the many we also find the SPID developed by Poste Italiane which allows you to access various services from the appropriate app by scanning the QR code, inserting the password chosen during registration or with fingerprint or facial recognition.

It has long been expected that many users would claim the mobility bonus. In this regard, a group of hackers registered on 6 October a malicious domain aimed at stealing the SPID credentials of users of Poste Italiane . The company D3Lab reported the malicious domain named aggiornamento-spid[.]com when it was still devoid of content.

phishing Poste Italiane SPID
Phishing illustration. Credits: Kaspersky

Thanks to this report, a site monitoring activity began and it emerged that mobile browsers or mobile user-agents could see the fake page of the SPID Poste Italiane. Initially only PC browsers were able to block the request . Thanks to the reports of the past few days, redirection to the web page is now blocked even from mobile. This does not mean that Poste Italiane users will be able to receive targeted phishing SMS for entering their SPID credentials.

How the phishing attack works

The phishing attack takes its name from the English word "to fish" because it was developed in order to bite its victims . As fish are misled by the bait that hides the hook, digital humans are misled by the graphics that hide a malicious site.

Phishing occurs in many ways and can be targeted at one person or a group of them. Generally, the phishing attack aims to steal bank credentials to make purchases or transfers to the attacker or nominee . Usually the victim receives an e-mail or an SMS, sometimes even on social networks, from a bogus sender with a name that can be traced back to a truly existing entity: for example, the real Poste Italiane user from whom we receive SMS can be PosteItaliane while the fake one could be PosteIT. Once the message is opened we find a text in which they announce the problem and a link to solve it. The link also has the same defect as the name of the SMS or the e-mail, or the original link of Poste Italiane is, the false one could be

phishing Poste Italiane SPID

The consequences of opening the link or downloading the attachments of an e-mail can be manifold . By downloading an attachment we could install a malware that perhaps has the intent to spy on our activities (spyware), a ransomware (it encrypts the data on the device and asks for a ransom to get them back). By opening the link instead we are usually redirected to a website where the graphics are identical to the original site but the domain changes. In this regard it is necessary to check the presence of https and verify it is actually the right domain. It is advisable to enter credentials only when you are sure of the veracity of the website.

Defend yourself from phishing

SMS and email aren't the only source of phishing. In fact, in vishing we receive a call from a call center or from an important member of the company in which they notify us of a problem and to solve it we need to tell the data relating to the account, mainly by asking for a PIN or password. The other alternative is the creation of a false profile on social networks and the sending of private messages or public posts notifying an alleged general error in the site.

How to defend against phishing attacks? Any bank declares that it never asks for secret data that only the user knows, such as username, PIN, password, by SMS, e-mail, calls or other. Therefore, the only method to defend against a phishing attack is not to trust whatever you receive from the institution, always be wary and never fill in the required fields with personal data, or provide them in other ways. In case of strong doubt, each company recommends reporting it, sometimes there is a specific e-mail (for Poste Italiane [email protected]) or by reporting it to the Postal Police.

Banks or money agencies are not the only ones affected by phishing attacks. In March 2020, the WHO was the false sender of some e-mails regarding the prevention for the Covid-19 pandemic . Not only that, sometimes phishing attacks can also be induced to employees of a company. In the latter case, the attacker can claim to be an external company that has been entrusted with an assignment and ask the victim employee for important information.

The article Mobility Bonus: phishing against the SPID of Poste Italiane comes from TechCuE .