Skip to content → has less visits than this phishing website.

Recently my best friend received a call from his bank (Unicredit), telling him that his account was temporary blocked because of the risk of suspicious activities on it. He asked more informations about it, and they asked him if he, recently, put his credentials in a website similar to the official one. He replied that he didn’t do that, also with the official one; last time he used the online-banking it was many months ago. Result, they unblocked his account and he can use his money again.

2 minutes later he called me to tell me this story. I was lying on the couch checking my email, and my spam. While he was speaking one email catches my eyes;

Screen Shot 2016-06-29 at 4.06.08 PM


Screen Shot 2016-06-29 at 3.54.37 PM

It looks like Unicredit is facing a massive phishing attack and they are blocking the accounts also without fraudulent evidences.

Interesting. Let’s analyze it a bit.

The clone kit used by the attackers is very similar to the others. The attack i not even sophisticated because it’s using just a form and an image like background. Below the structure.

Screen Shot 2016-06-29 at 4.10.08 PM

The HTML files 1,2,3 are just redirect to the files cc.html, inside.html and  inside2.html. Let’s analyze the php files.

1.png is the background of the login page


They look very simple. The PHP skills required in this case are very low.

  • index.php

Screen Shot 2016-06-29 at 4.14.45 PM

Just a simple redirect that generates a random string including random.php. See below

Screen Shot 2016-06-29 at 4.16.32 PM

This file is tracking all the victims saving their location. The results are saved into visit.txt file. Till now the amount of visitor is about 3175, most of them from Italy.

Going deeper through the other files, we can see that all the informations inserted by the victims in the phishing website are stored inside a txt file named pinco1.txt and sent by email to the attacker.

Screen Shot 2016-06-29 at 4.14.56 PM

The obfuscated content of these files is reported at the end of this article.

The other PHP files are quite similar to each other :

Screen Shot 2016-06-29 at 4.16.01 PM

Screen Shot 2016-06-29 at 4.16.14 PM

Screen Shot 2016-06-29 at 4.16.23 PM


The only difference it’s the redirect. They ask the victims to insert three times the OTP (One Time Password) in order to have the last one valid for 30-60 seconds and make transfers.

Result of the campaign till now:

  • 3175 VISITORS
  • MANY user,password, CC, CVV, OTP stolen

Below a snapshot of the two files mentioned before:

  • pinco1.txt

Screen Shot 2016-06-29 at 4.46.53 PM

  • visit.txt

Screen Shot 2016-06-29 at 4.33.37 PM



Published in News >>


Leave a Reply

Your email address will not be published. Required fields are marked *