Our country is increasingly in the eye of the storm when it comes to cyber attacks. As evidence of this, there is a recent and disturbing discovery of Threat Intelligence Team Of D3Lab.
Through service activities Brand MonitorIn fact, experts have identified several campaigns phishing that they target Trenitalia and its customers. The criminal actions, identified last November 7 for the first time, exploit some specially created domains with redirects to a fake site.
This fictitious platform reproduces the official Trenitalia website down to the smallest graphic details. Inside the site, the entire path that leads a customer to purchase a ticket is re-proposed, complete with miscellaneous details options available, rates and even ghostly offers.
Potential victims of phishing fraud are asked for sensitive data such as:
- Name and surname
- Telephone number
as well as even more sensitive information for ticket payment.
Trenitalia and phishing: how cybercriminals act
D3Lab experts point out that, when entering data on the fictitious portal, a rather suspicious form is presented, which presents some sentences in English.
The tests have highlighted how, in the case of payment, the data collected by the form is sent to a specific address (i.e https://bknd[.]trenitalia[.]pro/backend-book/v1/bot_user/new_log).
In risposta all’invio dati, il sito ricevente offre un output di tipo “Data saved successfully in MongoDB” (tradotto The data was successfully saved to MongoDB), which would suggest a Russian-speaking origin of the cybercriminals.
For those who intend to book a ticket online on the Trenitalia website, it is important to remember how important it is always check the URL of a site before making a transaction or entering sensitive data into any form.
In the more specific case, let’s remember how the reference site appears www.trenitalia.com and therefore, any more or less plausible variants are in all likelihood illegitimate websites.