Virgilio mail phishing page revealed

This screenshot shows a phishing page hosted on Wix, impersonating Virgilio (an Italian email and portal service, part of the Libero / Italiaonline group). The page asks for email address and password to steal login credentials.

Threat Analysis: Virgilio Phishing – Credential Harvesting

How it works:
The victim receives a phishing email, SMS, or message claiming a security alert, account suspension, or the need to verify their information. The link leads to this page, which mimics the Virgilio login interface. The victim is asked to enter their email and password, then click “AVANTI” (Next). The credentials are captured and sent to the attacker.

The goal:
The attacker steals Virgilio account credentials to:

  • Access the victim’s email (searching for sensitive information, password reset links)
  • Compromise other services linked to the same email
  • Send further phishing messages to the victim’s contacts
  • Attempt credential reuse on other platforms

Red flags to watch for:

  • Suspicious URL: The page is hosted on a Wix subdomain (virgiliopostaitali.wixsite.com), not on virgilio.it or any official Virgilio domain. Wix is a free website builder – legitimate email services do not use it for login pages.
  • Visible Wix banner: The blue banner stating “Ce site a été conçu sur la plateforme de création de sites internet Wix.com” is a clear indicator that this is not an official page.
  • Mixed languages: The page uses French for the Wix notice, but Italian for “Virgilio” and “Accedi” (Login) – inconsistent and unprofessional.
  • Minimal design: The page lacks the full branding, security notices, and two‑factor authentication options of the real Virgilio login page.
  • Unsolicited login request: Virgilio does not send links requiring users to log in to resolve account issues.

What to do if you encounter this:

  • Do not enter your email or password.
  • If you are a Virgilio user, always access your email by typing virgilio.it directly into your browser.
  • If you have already entered your credentials, change your password immediately and enable two‑factor authentication if available.
  • Report the phishing page to Virgilio / Italiaonline and to Wix’s abuse team.

Protective measures:

  • Bookmark the official Virgilio login page and use that bookmark.
  • Use a password manager – it will not autofill on fake domains.
  • Never log in via a page hosted on a free website builder (Wix, Weebly, etc.) unless you are absolutely certain it is legitimate (which it almost never is for email services).
  • Enable two‑factor authentication on your email account.

Fake PayPal Gift card detected

This screenshot shows a fake “PayPal Gift Card” giveaway scam, promising a $1000 reward to trick victims into providing personal information or clicking malicious links.

Threat Analysis: PayPal Gift Card Scam – Fake Giveaway / Phishing

How it works:
The victim encounters an ad or link (via social media, email, or pop‑up) claiming that a limited number of people can win a $1000 PayPal gift card. The page displays a fake promo code, a placeholder card image, and a countdown of “remaining spots” to create urgency. The victim is asked to click a button (e.g., “Mobile” or “Desktop”) to claim the prize.

After clicking, the victim may be taken to a survey, asked to provide personal information (name, address, email, phone), or required to pay a small “processing fee” – all while never receiving the promised gift card.

The goal:
The attacker aims to:

  • Collect personal information for identity theft or future scams
  • Trick the victim into paying an upfront fee (advance fee fraud)
  • Lead the victim to a phishing page that steals PayPal credentials
  • Install malware or adware through malicious downloads

Red flags to watch for:

  • Too good to be true: A free $1000 PayPal gift card is highly unlikely. Legitimate giveaways are rare and require entry, not just clicking a link.
  • Fake promo code: The displayed code (“5251 1234 5678 XXXX”) is generic and not a real gift card code.
  • Limited spots / urgency: The claim of “26 spots left” is a classic pressure tactic to make victims act without thinking.
  • Vague company / no contact information: The page does not identify which company is running the promotion.
  • Unsolicited offer: You cannot win a prize you did not enter. Any unsolicited message claiming you have won something is almost always a scam.

What to do if you encounter this:

  • Do not click any buttons or links.
  • Do not provide any personal or financial information.
  • Do not pay any “fee” to claim the prize.
  • If you have already entered information, monitor your accounts for suspicious activity and change any compromised passwords.

Protective measures:

  • Remember: if it sounds too good to be true, it is a scam.
  • Never pay money to receive a prize. Legitimate giveaways cover all costs.
  • Verify promotions directly through the official PayPal website or social media channels – never through a random link.
  • Use ad blockers and avoid clicking on pop‑up ads promising free money or prizes.

Microsoft phishing page detected

This screenshot shows a phishing page impersonating Microsoft, targeting Spanish‑speaking users. The page asks for the victim’s current email address and current password under the pretext of “confirming credentials.” It is hosted on a suspicious free hosting subdomain.

Threat Analysis: Microsoft Phishing – “Confirm Credentials” Scam

How it works:
The victim receives a phishing email, SMS, or message claiming a security alert, account suspension, or the need to verify their information. The link leads to this page, which mimics a Microsoft login interface. The victim is asked to enter their email address and current password, then click “Continuar.” The credentials are captured and sent to the attacker.

The goal:
The attacker steals Microsoft account credentials (email and password) to:

  • Access the victim’s email (Outlook, Hotmail) and other Microsoft services (OneDrive, Office 365)
  • Reset passwords for other accounts linked to that email
  • Send further phishing messages to the victim’s contacts
  • Attempt credential reuse on other platforms

Red flags to watch for:

  • Suspicious URL: The page is hosted on fffgfggggggggg000.hostfree.pw – a free hosting subdomain, not microsoft.com or outlook.com. Legitimate Microsoft login pages are only on official domains.
  • Unprofessional domain name: Random characters and “hostfree.pw” are clear indicators of a throwaway phishing site.
  • “Confirmar credenciales” pretext: Microsoft never asks users to “confirm credentials” via a link. Legitimate security alerts direct users to log in through the official website, not a separate page.
  • Minimal design: The page lacks Microsoft’s full branding, security notices, and two‑factor authentication options.
  • No personalization or security image: Genuine Microsoft login pages display a security image or account selection after entering an email.
  • Unsolicited login request: Microsoft does not send links requiring users to log in to resolve account issues.

What to do if you encounter this:

  • Do not enter your email or password.
  • If you have already entered your credentials, change your Microsoft password immediately and enable two‑factor authentication (2FA).
  • Always access Microsoft services by typing outlook.com or microsoft.com directly into your browser.
  • Report the phishing page to Microsoft (via [email protected] or the built‑in reporting tool).

Protective measures:

  • Bookmark the official Microsoft login page and use that bookmark.
  • Use a password manager – it will autofill only on legitimate microsoft.com or outlook.com domains.
  • Enable two‑factor authentication on your Microsoft account (using an authenticator app or security key).
  • Be suspicious of any unsolicited message that asks you to “confirm” your credentials via a link.

Fake Free PayPal Gift Cards revealed

This phishing campaign uses “Free $750 PayPal Gift Cards” via social media and pop-ups to lure victims, characterizing a classic survey scam designed to harvest personal data and distribute malware. Victims are induced through a fake, high-value reward offer, ultimately leading to data theft through “verification” steps that require inputting sensitive information or downloading malicious applications. You can read the full case analysis at antiphishing.biz.

Screenshot #1: The Landing Page (The Hook)

The Trap: Displays a professional-looking “PayPal Gift Card” with high-value amounts. It uses official logos and colors to build trust.

The Psychology: “Free money” triggers an impulsive reaction. The user is asked to click a button to “Claim” or “Win,” which begins the redirection to the malicious forms.

Screenshot #2: The Fake Survey / Verification

The Trap: The site asks simple questions like “How often do you use PayPal?” or “Which brand do you prefer?”

The Intent: This is a “Low-Friction” tactic. By making the user perform small tasks, the scammer builds “investment” and commitment, making the victim more likely to provide sensitive data in the next step.

Screenshot #3: Personal Data Harvesting (Fullz)

The Trap: To “receive the gift card,” the user is asked for their Full Name, Home Address, and Date of Birth.

The Impact: This information is sold on the Dark Web as “Fullz” (full identity profiles). It allows criminals to bypass security questions on other accounts or commit identity theft.

Screenshot #4: The Payment / Shipping Fee Form (The Kill)

The Trap: The final step claims a small “Processing Fee” or “Shipping Charge” ($1.00 – $2.00) is required to send the gift card.

The Impact: This form is a Credit Card Skimmer. Once you enter your Card Number, Expiry, and CVV, the attacker has full access to your funds. The “gift card” never arrives, but the fraudulent charges start immediately.

Here is the detailed breakdown of the Fake PayPal Gift Card scam . This is a classic “Reward Bait” scheme used to harvest financial data and personal information.

Fake “Free PayPal Gift Cards” Scam

Target: Global PayPal users looking for discounts or rewards.
Threat Level: High (Financial Fraud & Identity Theft)

Phishing Method Description

This attack uses Social Engineering by promising a “Free $750 PayPal Gift Card” or similar high-value rewards. These scams are often spread via social media ads, WhatsApp messages, or “reward” websites. The goal is to lead the victim through a series of “verification steps” that eventually steal their credit card data and account credentials.

Protection Measures (Safety Rules)

  • 1. The “Too Good to Be True” Rule:
    PayPal (and other major companies) does not give away $500 or $750 gift cards for free via third-party websites or surveys. If the offer seems excessive, it is 100% a scam.
  • 2. Check the Domain (URL):
    Official PayPal offers only exist on ://paypal.com. Any other domain (e.g., paypal-rewards-2024.net, win-paypal-gift.xyz) is a phishing site.
  • 3. Never Pay to Receive a Prize:
    A legitimate prize or gift card should never require you to provide your credit card’s CVV code or pay a “verification fee.” This is the primary red flag for financial skimming.
  • 4. Official Communication Only:
    Check your official PayPal app or log in directly to paypal.com. If there is a real reward, it will be listed in your Rewards or Offers section inside your secure account.

Facebook phishing page in Arabic revealed

This screenshot shows an Arabic‑language phishing page impersonating Facebook, designed to steal login credentials (email/phone and password). The page is hosted on a suspicious domain and uses a fake registration or login prompt.

Threat Analysis: Facebook Phishing – Credential Harvesting

How it works:
The victim receives a phishing email, SMS, or social media message claiming a security alert, account suspension, or the need to verify their information. The link leads to this page, which mimics the Facebook login interface. The victim is asked to enter their email address or phone number and password, then click a button (likely labeled “login” or “register”). The credentials are captured and sent to the attacker.

The goal:
The attacker steals Facebook account credentials to:

  • Access private messages and personal information
  • Post spam, scams, or malicious links from a trusted account
  • Spread the phishing attack to the victim’s friends
  • Use the same email/password combination to compromise other accounts (if credentials are reused)

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain like نتجاهاص.xyz – a random, non‑Facebook domain. Legitimate Facebook login pages are only on facebook.com.
  • Poor Arabic grammar / typos: The text contains errors and awkward phrasing that would not appear on an official Facebook page.
  • Unsolicited login request: Facebook does not send links requiring users to log in to resolve account issues.
  • Minimal design: The page lacks Facebook’s full branding, security notices, and two‑factor authentication options.
  • No personalization: Genuine Facebook login pages often show a profile image or account selection after entering an email.

What to do if you encounter this:

  • Do not enter your email/phone or password.
  • If you have already entered your credentials, change your Facebook password immediately and enable two‑factor authentication (2FA).
  • Always access Facebook by typing facebook.com directly into your browser.
  • Report the phishing page to Facebook (via the official reporting tools).

Protective measures:

  • Bookmark the official Facebook login page and use that bookmark.
  • Use a password manager – it will autofill only on legitimate facebook.com domains.
  • Enable two‑factor authentication on your Facebook account (using an authenticator app).
  • Be suspicious of any unsolicited message that asks you to log in.

Facebook Messenger phishing page detected

This screenshot shows an Arabic‑language phishing page impersonating Facebook, designed to steal login credentials (email/phone and password). The page is hosted on a suspicious domain and uses a fake registration or login prompt.

Threat Analysis: Facebook Phishing – Credential Harvesting

How it works:
The victim receives a phishing email, SMS, or social media message claiming a security alert, account suspension, or the need to verify their information. The link leads to this page, which mimics the Facebook login interface. The victim is asked to enter their email address or phone number and password, then click a button (likely labeled “login” or “register”). The credentials are captured and sent to the attacker.

The goal:
The attacker steals Facebook account credentials to:

  • Access private messages and personal information
  • Post spam, scams, or malicious links from a trusted account
  • Spread the phishing attack to the victim’s friends
  • Use the same email/password combination to compromise other accounts (if credentials are reused)

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain like نتجاهاص.xyz – a random, non‑Facebook domain. Legitimate Facebook login pages are only on facebook.com.
  • Poor Arabic grammar / typos: The text contains errors and awkward phrasing that would not appear on an official Facebook page.
  • Unsolicited login request: Facebook does not send links requiring users to log in to resolve account issues.
  • Minimal design: The page lacks Facebook’s full branding, security notices, and two‑factor authentication options.
  • No personalization: Genuine Facebook login pages often show a profile image or account selection after entering an email.

What to do if you encounter this:

  • Do not enter your email/phone or password.
  • If you have already entered your credentials, change your Facebook password immediately and enable two‑factor authentication (2FA).
  • Always access Facebook by typing facebook.com directly into your browser.
  • Report the phishing page to Facebook (via the official reporting tools).

Protective measures:

  • Bookmark the official Facebook login page and use that bookmark.
  • Use a password manager – it will autofill only on legitimate facebook.com domains.
  • Enable two‑factor authentication on your Facebook account (using an authenticator app).
  • Be suspicious of any unsolicited message that asks you to log in.

Mirae Asset Credit phishing pages in Vietnamese detected

This screenshot shows a phishing page impersonating Mirae Asset (a financial services company), targeting Vietnamese‑speaking users. The page asks for a phone number and password, with options to log in or register.

Phishing Analysis Mirae Asset Credit Login Scam (Vietnamese)

How it works:
The victim receives a phishing email or SMS claiming an account issue, investment opportunity, or security update. The link leads to this fake login page. The victim enters their phone number and password, then clicks “đăng nhập” (login). Credentials are captured.

Red flags:

  • Suspicious URL: The page is hosted on a domain that is not the official Mirae Asset Vietnam domain (which would end with .com.vn or similar).
  • Generic design: No Mirae Asset logo, security notices, or personalized elements.
  • Unsolicited login request: Mirae Asset does not send links requiring users to log in via third‑party pages.

What to do:

  • Do not enter your phone number or password.
  • If you are a Mirae Asset customer, always access your account by typing the official website URL directly.
  • If you already entered credentials, contact Mirae Asset immediately and change any reused passwords.

Facebook Messenger phishing page revealed

This phishing campaign targeting Facebook Messenger users utilizes social engineering, where compromised accounts send fake “shocking video” links to contacts, leading to fraudulent, mobile-optimized login pages. Attackers capture credentials and 2FA codes in real-time, enabling account takeover and further distribution of the malware.

Cybersecurity Measures: How to Avoid Messenger Phishing

To protect your Facebook account and personal data from being hijacked, follow these essential safety rules:

1. The “Think Before You Click” Rule

Phishing messages in Messenger often use “Bait” phrases like:

  • “Is this you in this video?”
  • “Look what someone said about you…”
  • “I found this old photo of us!”
    Action: Even if the message comes from a friend, do not click the link. Their account may have already been hacked and is now automatically sending spam to all their contacts.

2. Verify the Login Page (URL)

If you click a link and it asks you to “Log in to Facebook to see the content,” check the address bar immediately:

  • Official: facebook.com or ://facebook.com.
  • Fake: facebook-login-video.net, secure-fb-check.online, m-facebook.web.app.
    Action: If the URL looks strange or long, close the tab. Facebook will never ask you to log in again if you are already using the Messenger app.

3. Enable Two-Factor Authentication (2FA)

This is your most powerful defense. If a scammer steals your password, they still won’t be able to log in without the code from your phone.

  • Action: Go to Settings > Security and Login > Use two-factor authentication. Use an Authentication App (like Google Authenticator) instead of SMS for maximum security.

4. Use the “In-App” Verification

If you receive a suspicious message from a friend, contact them through a different channel (call them, text them via WhatsApp, or speak in person).

  • Action: Ask them: “Did you just send me a link in Messenger?” Usually, they will be surprised to learn their account is sending spam.

5. Keep Your Browser and Apps Updated

Modern browsers (Chrome, Safari, Firefox) have built-in “Safe Browsing” features that block known phishing sites.

  • Action: Always install the latest updates for your smartphone and browser to ensure you have the newest anti-phishing filters.

6. Use a Password Manager

Password managers (like Bitwarden, LastPass, or 1Password) identify sites by their URL.

  • Action: If you are on a fake Facebook site, your password manager will not auto-fill your credentials. This is a clear technical warning that the site is a fraud.

Orange phishing page detected

This screenshot shows a phishing page impersonating Orange, a major French telecommunications provider. The page is hosted on a free website builder (Strikingly) and mimics Orange’s login portal to steal email address / mobile number and password.

Threat Analysis: Orange Phishing – Fake “PortalOrange” Login Page

How it works:
The victim receives a phishing email, SMS, or message claiming a security alert, account issue, or unread notifications. The link leads to this page, which mimics the Orange login interface. The victim is asked to enter their Orange account identifier (email or mobile number) and password, then click “S’identifier” (Sign in). The credentials are captured and sent to the attacker.

The goal:
The attacker steals Orange account credentials to:

  • Access the victim’s personal information, billing details, and phone services
  • Port the victim’s phone number (SIM swapping) to bypass SMS‑based two‑factor authentication for banking or other accounts
  • Use the account to send further phishing messages

Red flags to watch for:

  • Suspicious URL: The page is hosted on a Strikingly subdomain (site-7190390-1998-7617.mystrikingly.com), not orange.fr or any official Orange domain. Strikingly is a free website builder – legitimate telecom providers do not use it for login pages.
  • Generic design / missing security features: The page uses the Orange logo but lacks the full navigation, security notices, and two‑factor authentication options present on the real Orange login portal.
  • Unsolicited login request: Orange does not send links requiring customers to log in to resolve account issues or check notifications.
  • “PORTALORANGE” and “AUTHENTIFICATION” wording: While these terms are used by Orange, the overall layout and the fact that it is on a third‑party domain are clear giveaways.

What to do if you encounter this:

  • Do not enter your Orange identifier or password.
  • If you are an Orange customer, always access your account by typing orange.fr directly into your browser or using the official Orange app.
  • If you have already entered your credentials, change your Orange password immediately and contact Orange customer service to secure your account and watch for SIM swapping attempts.
  • Report the phishing page to Orange’s fraud team (e.g., via spam.orange.fr).

Protective measures:

  • Bookmark the official Orange login page and use that bookmark.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication on your Orange account if available.
  • Be suspicious of any unsolicited message that asks you to log in via a link.
  • Never log in on pages hosted on free website builders (Strikingly, Wix, Weebly, etc.) – these are almost never legitimate for banking or telecom services.

Microsoft phishing page in Spanish detected

A Spanish-language phishing campaign targeting Microsoft 365, Outlook, and OneDrive users utilizes fake document-sharing notifications to harvest credentials via cloned login pages. This attack pressures victims with a “Shared Document” pretext to enter their email and password on a fraudulent site designed to steal login data and bypass security checks. The case emphasizes the need to inspect URLs for official Microsoft domains and verify unexpected shared document notifications.

Cybersecurity Measures: How to Avoid Microsoft Phishing (Spanish/Global)

To protect your Microsoft / Office 365 account and prevent sensitive documents from being stolen, follow these essential safety rules:

1. Verify the Domain (The URL Rule)

Phishing sites often use lookalike domains to trick Spanish-speaking users (e.g., microsoft-inicio.com, seguridad-office365.online, verificar-cuenta.net).

  • Action: Official Microsoft login pages always reside on microsoft.com, live.com, or outlook.com. If the address bar shows anything else, close the window immediately.

2. Inspect the Language and Tone

Scammers use urgent phrases in Spanish to induce panic, such as:

  • “Su cuenta será suspendida en 24 horas.” (Your account will be suspended in 24 hours.)
  • “Error de entrega de mensajes entrantes.” (Incoming message delivery error.)
  • “Actualización obligatoria de seguridad.” (Mandatory security update.)
  • Action: Microsoft will never threaten to delete your account via an email link. Real alerts appear in your official Microsoft 365 Admin Center or via system notifications.

3. Mandatory Two-Factor Authentication (2FA)

Password theft is the primary goal of this phishing page. 2FA is your final line of defense.

  • Action: Enable Microsoft Authenticator or an app-based 2FA. Even if the attacker steals your password, they cannot access your files without the approval notification on your smartphone.

4. The “No-Link” Policy for Login

Emails with a “Login” or “Verify Now” button are the most common entry points for hackers.

  • Action: Never log in through a link sent in an email. If you receive an alert, open a new browser tab and manually type ://office.com or outlook.com to check your status safely.

5. Check the Sender’s Address

Scammers often spoof the sender’s name to say “Microsoft Support,” but the actual email address is a random domain (e.g., [email protected]).

  • Action: Hover your mouse over the sender’s name to see the real email address. If it doesn’t end in @microsoft.com, it is a scam.

6. Use a Password Manager

Tools like Bitwarden, Dashlane, or 1Password are designed to identify sites by their URL.

  • Action: If you are on a phishing page, your password manager will not offer to auto-fill your credentials. This is a definitive technical warning that the site is a fraud.