Italian Revenue Agency Phishing: CERT-AGID Alerts on Targeted SPID Credential Theft

CERT-AGID has recently identified a sophisticated phishing operation leveraging the identity of the Italian Revenue Agency (Agenzia delle Entrate-Riscossione) to target personnel within Public Administration and the private sector. The primary objective is the theft of access credentials via a fraudulent website that mirrors official institutional interfaces. According to the monitoring body's official statement: "What distinguishes this campaign from previous ones is that it is particularly targeted at Public Administrations, as well as private companies."

The offensive utilizes deceptive communications urging users to log into their reserved area on the Revenue Agency portal. The provided link directs victims to a web page specifically engineered to simulate the SPID (Public Digital Identity System) login form. To bolster the deception, attackers have embedded the official AgID logo on the counterfeit page, creating a veneer of legitimacy designed to mislead distracted or less experienced employees.

Attack Anatomy: The Personalized Link Tactic

The most notable technical element of this operation is the presentation of the login form. When a victim clicks the link in the phishing email, they land on a page where their email address is already filled into the text field. This pre-population is made possible by individual link personalization for each recipient. In this scenario, users are led to believe the system has recognized them correctly, significantly lowering their suspicion of a malicious portal.

Requesting only a password acts as a psychological catalyst. From a behavioral analysis perspective, reducing the friction required for access—filling one field instead of two—erodes the recipient's critical defenses. Seeing their institutional email already present, a victim might erroneously attribute the feature to a session restore or browser automation, leading them to inadvertently hand over their digital access keys to the attackers.

It is important to note that this email pre-population suggests a preliminary information-gathering phase by the threat actors. While the attackers possessed specific target addresses to personalize the links, official sources have not specified the origin of these lists. This detail underscores the targeted nature of the attack, which appears to rely on an accurate selection of profiles within administrative and corporate structures rather than random attempts.

Exploiting Institutional Trust Boundaries

The cloning of the SPID login module represents a direct attack on the "trust boundary" between citizens and the State. The use of the AgID logo on the fraudulent site is a social engineering tactic designed to exploit user familiarity with government portals. As SPID has become the authentication standard for nearly all public services, replicating its graphical interface provides attackers with a potentially higher success rate than generic or unrefined templates.

This strategy does not exploit intrinsic technical vulnerabilities in the SPID protocol or the Revenue Agency’s infrastructure, neither of which show signs of breach. Instead, it is a manipulation of the authentication process from the user's perspective. CERT-AGID reacted promptly to the threat, contacting the fraudulent site's host to request immediate deactivation. Concurrently, Indicators of Compromise (IoCs) were disseminated through official channels to allow IT managers to block the threat at the perimeter.

In this context, the value of the stolen credentials is exceptionally high. Unauthorized access to systems connected to the Revenue Agency could allow malicious actors to operate within critical platforms for tax and administrative management. For a Public Administration, losing control of an institutional account is not just a cybersecurity issue, but a potential risk to the integrity of management procedures and the confidentiality of operations conducted on behalf of the entity.

«What distinguishes this campaign from previous ones is that it is particularly targeted at Public Administrations, as well as private companies.» — CERT-AGID

Strategic Implications

The significance of this campaign lies in its selective nature. Targeting Public Administrations is an attempt to infiltrate crucial nodes of public management, where access credentials open doors to systems linked to the Revenue Agency. The compromise of a single operator can have a ripple effect on the security of data managed by the agency, exposing the administration to security incidents requiring extensive remediation and the restoration of digital identity trust.

Furthermore, the use of pre-populated emails indicates an evolution in phishing tactics toward more automated forms of "spear phishing." While personalization previously required considerable manual effort, attackers now use scripts to generate thousands of unique links featuring accurate data. This approach renders traditional advice based on checking grammar or graphics obsolete, shifting the focus to the necessity of always verifying the URL before entering sensitive data.

The effectiveness of the CERT-AGID response, which led to the site takedown, demonstrates the importance of centralized threat monitoring. However, the speed at which these campaigns can be replicated on new domains mandates constant vigilance. For private companies and Public Administrations, recognizing that their brand or access points are targets is the first step toward implementing proactive defense measures that go beyond simple firewall protection.

Recommended Response and Mitigation

Organizations falling within the target profile described by CERT-AGID should take immediate steps to secure their accounts and verify the integrity of active sessions. Based on the evidence, the following actions are recommended:

• Access Verification: Monitor access logs for systems connected to the Revenue Agency to identify login attempts from unusual geographic locations or outside of business hours.
• IoC Analysis: IT departments should consult the CERT-AGID feed and implement blocks on domains and IP addresses associated with this specific phishing campaign.
• Employee Awareness: Inform staff about the "pre-populated email" technique, advising them never to enter a password if the email field appears already populated after clicking a link from an external communication.
• Incident Reporting: In the event of a suspected compromise, it is vital to isolate the affected account and perform an immediate SPID credential reset through the official identity provider channels.

Beyond these technical measures, it is worth remembering that official Revenue Agency communications do not use direct links to login pages with pre-populated personal data. The correct procedure for users always involves navigating independently to the official Agency portal, avoiding hypertext links received via email or instant messaging, regardless of the perceived quality of the sender or destination site.

Resilience Through Awareness and Rapid Takedown

The conclusion of this specific phishing wave, thanks to national authority intervention, does not mark the end of the risk. Brand spoofing targeting the Revenue Agency is a recurring method that adapts cyclically to new security measures. The primary lesson of this event lies in the vulnerability of the human factor when faced with interfaces that perfectly mimic the daily reality of administrative work, such as the SPID login.

Moving forward, the resilience of Public Administrations will depend on the ability to integrate technical defense with a widespread culture of security. The fact that CERT-AGID had to intervene reminds us that the internet remains a landscape where offense can be rapid and low-cost, while defense requires continuous coordination and analysis. Protecting institutional credentials remains the fundamental pillar for ensuring the continuity of the State's digital services.

Information has been verified against cited sources and is current as of the time of publication.

Sources

• https://cert-agid.gov.it/news/agenzia-delle-entrate-campagna-di-phishing-mirata-alle-pubbliche-amministrazioni/