Phishing Alert Posta Romana & EuPlatesc

Recently phishing attacks are ongoing, targeting Posta Romana and EuPlatesc users. It will start with an email message, with the subject “Support Aveți un pachet de intrare”.

Network used to deliver phishing emails:
Email headers: https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx?huid=d7aaaaba-8aab-4204-971d-90809853531d
X-Originating-Ip: 23.251.232.2

Message: Aveți un pachet de intrare
Un pachet a fost expediat către dumneavoastră și este nevoie de atenția dumneavoastră.
vă rugăm să completați cu exactitate formularele solicitate.

The initial page loads content from the following official pages:
https://www.posta-romana.ro/cnpr-app/gethumb.php?id=3201&w=306&h=210&ext=png&aw=200
https://www.posta-romana.ro/cnpr-app/modules/completeaza-formulare/interface/formular-mandat/ajax/getJudete.php
https://www.posta-romana.ro/cnpr-app/modules/completeaza-formulare/interface/formular-mandat/ajax/getLocalitatiExp.php
https://www.posta-romana.ro/cnpr-app/modules/completeaza-formulare/interface/formular-mandat/ajax/getStradaExp.php

The second page ask the visitors to submit credit card details for a small payment.
Official resources loaded from EuPlatesc:
https://secure.eupayment.eu/favicon.ico
https://secure.euplatesc.ro/tdsprocess/tpl-v17/js/bootstrap.min.js
https://secure.euplatesc.ro/tdsprocess/img/langpic/ro.png
https://secure.euplatesc.ro/tdsprocess/img/pci-logo.png

If you’re getting a phishing email, you should report it a soon as possible:

1. Google Safe Browsing https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en
2. Netcraft https://report.netcraft.com/report
3. Microsoft https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site-guest
4. PhishTank https://phishtank.org

Forward phishing email to: [email protected]

Malicious URLs:
hxxps://posta-romana.eldahaby[.]co/receptie-pachet
hxxps://posta-romana.eldahaby.co/tdsprocess/checkout_plus
hxxps://posta-romana[.]ml/tdsprocess/checkout_plus
hxxps://servici-posta.hostpanzer[.]com/tdsprocess/checkout_plus
hxxps://posta-romana.blackgames[.]ro/receptie-pachet
hxxps://posta-romana.blackgames[.]ro/tdsprocess/checkout_plus

More URLs via urlscan.io:
https://urlscan.io/search/#page.url%3A%22receptie-pachet%22