Skip to content

Commit 6cc1893

Browse files
Create pagopa-019638cd.yml (#267)
* Create pagopa-checkout.yml As per the URLScan report: https://urlscan.io/result/019638cd-0a40-76fc-8fe0-4bcd550f9c0f/ , a new phishing campaign targeting Italian citizens has been detected. This campaign exploits the brand of the PagoPA platform, established by the Italian government for payments to public administrations. The campaign's IoCs have also been disseminated by the CERT bulletin of the Italian government's Digital Agency (AgID): https://cert-agid.gov.it/wp-content/uploads/2025/04/pagoPA.json * Update and rename pagopa-checkout.yml to pagopa-019638cd.yml --------- Co-authored-by: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
1 parent 2f0f0f5 commit 6cc1893

1 file changed

Lines changed: 30 additions & 0 deletions

File tree

indicators/pagopa-019638cd.yml

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
title: PagoPA Phishing Kit 019638cd
2+
description: |
3+
Detects sites that mimic the payment process of the PagoPA platform established by the Italian Government for payments to public administrations.
4+
The kit uses the Cleave JS library to validate credit card numbers and dates.
5+
first_seen: 2025-04-14
6+
references:
7+
- https://cert-agid.gov.it/wp-content/uploads/2025/04/pagoPA.json
8+
- https://urlscan.io/result/019638cd-0a40-76fc-8fe0-4bcd550f9c0f
9+
- https://urlscan.io/result/01963b32-dccf-75d1-bfc9-00807a035688
10+
11+
detection:
12+
13+
requestsContent:
14+
requests|contains: 'cleave.min.js'
15+
16+
jsContent:
17+
js|contains: 'function isInputNumber(evt)'
18+
19+
domContents:
20+
dom|contains|all:
21+
- 'pagamento'
22+
- 'pagopa'
23+
- 'action="logz/log.php"'
24+
25+
condition: requestsContent and jsContent and domContents
26+
27+
tags:
28+
- kit
29+
- target_country.italy
30+
- target.pagopa

0 commit comments

Comments
 (0)