From 444f6597e1dfca52a021f838ddc48f271c298a99 Mon Sep 17 00:00:00 2001 From: Mirko Caruso <153075885+mirkocaruso19@users.noreply.github.com> Date: Tue, 15 Apr 2025 15:00:44 +0200 Subject: [PATCH 1/2] Create pagopa-checkout.yml As per the URLScan report: https://urlscan.io/result/019638cd-0a40-76fc-8fe0-4bcd550f9c0f/ , a new phishing campaign targeting Italian citizens has been detected. This campaign exploits the brand of the PagoPA platform, established by the Italian government for payments to public administrations. The campaign's IoCs have also been disseminated by the CERT bulletin of the Italian government's Digital Agency (AgID): https://cert-agid.gov.it/wp-content/uploads/2025/04/pagoPA.json --- indicators/pagopa-checkout.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 indicators/pagopa-checkout.yml diff --git a/indicators/pagopa-checkout.yml b/indicators/pagopa-checkout.yml new file mode 100644 index 00000000..7c99cdcc --- /dev/null +++ b/indicators/pagopa-checkout.yml @@ -0,0 +1,24 @@ +title: PagoPA Checkout Phishing Kit +description: | + Detects sites that mimic the payment process of the PagoPA platform established by the Italian Government for payments to public administrations using cleave JS library to validate credit card numbers +first_seen: 2025-04-14 +references: + - https://cert-agid.gov.it/wp-content/uploads/2025/04/pagoPA.json + +detection: + requestsContent: + requests|contains: + - 'cleave.min.js' + phpSessionCookie: + cookies|startswith: 'PHPSESSID=' + paymentString: + dom|contains: + - 'pagamento' + - 'pagopa' + + condition: requestsContent and phpSessionCookie and paymentString + +tags: + - kit + - target_country.italy + - target.pagopa From 0ae8643329dd5d3f793cd9295f610b09aa4ec0f6 Mon Sep 17 00:00:00 2001 From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com> Date: Tue, 15 Apr 2025 21:46:32 +0100 Subject: [PATCH 2/2] Update and rename pagopa-checkout.yml to pagopa-019638cd.yml --- indicators/pagopa-019638cd.yml | 30 ++++++++++++++++++++++++++++++ indicators/pagopa-checkout.yml | 24 ------------------------ 2 files changed, 30 insertions(+), 24 deletions(-) create mode 100644 indicators/pagopa-019638cd.yml delete mode 100644 indicators/pagopa-checkout.yml diff --git a/indicators/pagopa-019638cd.yml b/indicators/pagopa-019638cd.yml new file mode 100644 index 00000000..f69036ae --- /dev/null +++ b/indicators/pagopa-019638cd.yml @@ -0,0 +1,30 @@ +title: PagoPA Phishing Kit 019638cd +description: | + Detects sites that mimic the payment process of the PagoPA platform established by the Italian Government for payments to public administrations. + The kit uses the Cleave JS library to validate credit card numbers and dates. +first_seen: 2025-04-14 +references: + - https://cert-agid.gov.it/wp-content/uploads/2025/04/pagoPA.json + - https://urlscan.io/result/019638cd-0a40-76fc-8fe0-4bcd550f9c0f + - https://urlscan.io/result/01963b32-dccf-75d1-bfc9-00807a035688 + +detection: + + requestsContent: + requests|contains: 'cleave.min.js' + + jsContent: + js|contains: 'function isInputNumber(evt)' + + domContents: + dom|contains|all: + - 'pagamento' + - 'pagopa' + - 'action="logz/log.php"' + + condition: requestsContent and jsContent and domContents + +tags: + - kit + - target_country.italy + - target.pagopa diff --git a/indicators/pagopa-checkout.yml b/indicators/pagopa-checkout.yml deleted file mode 100644 index 7c99cdcc..00000000 --- a/indicators/pagopa-checkout.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: PagoPA Checkout Phishing Kit -description: | - Detects sites that mimic the payment process of the PagoPA platform established by the Italian Government for payments to public administrations using cleave JS library to validate credit card numbers -first_seen: 2025-04-14 -references: - - https://cert-agid.gov.it/wp-content/uploads/2025/04/pagoPA.json - -detection: - requestsContent: - requests|contains: - - 'cleave.min.js' - phpSessionCookie: - cookies|startswith: 'PHPSESSID=' - paymentString: - dom|contains: - - 'pagamento' - - 'pagopa' - - condition: requestsContent and phpSessionCookie and paymentString - -tags: - - kit - - target_country.italy - - target.pagopa