The fraudsters have decided to once again utilize the coronavirus situation, this time using the known “courier” scam.

During the pandemic, the number of purchases over the internet increased significantly, which the fraudsters decided to utilize by sending an SMS asking for payment of the shipping charges.

According to the portal Wirtualna Polska, in the message we can read that due to OHS procedures in the transhipment center, the shipping cost increased by about PLN 2. The SMS also includes a link that redirects users to the fake payment page. The goal is probably obvious to everyone at this point, fraudsters want to intercept online banking credentials.


The email boxes of Internet users receive messages about the possibility of blocking their allegro.pl accounts. The reason for such blocking is to be an unpaid payment.

The email also includes information on the amount with which the person is in arrears and the threat of recovery if the amount is not paid.

Original message content:
“To date, we have not recorded the settlement of your commitment. A deposit of 1.98 must be paid to prevent account suspension. If the payment is not settled - your debt will be taken over by debt collection.”

Cybercriminals have spoofed the original address of the service, which may diminish the vigilance of the victim. However, please


We have recently described to you attempts of phishing online banking data or theft of password to social media accounts utilizing the ongoing coronavirus pandemic.

The Trusted Third Party described the next attack scenario with coronavirus in the background. This time you can receive a text message from the “Ministry of Health”.

From the message we learn that every citizen is entitled to nutritional support in connection with the current coronavirus pandemic. To obtain such support you must click on the provided hyperlink https://mzgov.net

Link leads to a fake website of the Ministry of Health, where you can read the following message:
"Nutritional s


Cybercriminals prey on the coronavirus-related pandemic, they steal login credentials for social media and valuable information from electronic devices.

CERT Orange Polska warns against fake websites that are supposed to inform about the current situation related to SARS-CoV-2. In fact, instead of the latest epidemic data, login credentials will be stolen.

The pages imitates a typical news site, cybercriminals encourage users to log in using their Facebook accounts, followed by a redirection to a fake website where their account logins and passwords are stolen.
It could also be expected that in near future there will be “coronavirus” related phishing attempts to steal login credentials for online banking.


Cybercriminals have targeted customers of PKO BP in their latest phishing campaign.

According to CERT, potential victims receive an email with confirmation of the transaction. The subject of the message is “Copy of payment” and the email originates from info@mantrabe.com. The message contains Polish characters.
The victim, surprised to receive an email with a transaction that was not made recently, will probably open the attachment included in the message. In fact, it’s a malicious script that installs GuLoader family malware, which then downloads the AgentTesla Trojan.

Trojan’s task is to steal the login credentials for the bank account of the customer and then to clear the account.


Niebezpiecznik warns of malicious ads that impersonate the Millenium Bank. Ads are displayed on Facebook and inform users that the bank offers money to anyone with a valid account. The amounts offered are within a range of a few hundred PLN, such as 700 or 900.

This is an textbook example of a phishing attempt, after activating the link a website is displayed, where the victim is informed about the amount to be transferred. For this purpose, the victim must provide, for example, PESEL identification number or one time passcode, which will be sent in a text message.

Extortion of money or data through such means is nothing new, but this type of fraud is still a very big threat to less aware users.



Clients of Bestcena.pl were receiving confirmation of deposit payment instead of a proof of purchase. Shop’s customers could find out about the indefinite loan terms from the several dozen-page terms of service, but who reads them carefully, right? In addition, the store did not inform its client about this fact in a clear and transparent manner. It can therefore be concluded that the store was misleading the customer.

The listing did not show “rent” but “order”. Price listed on the product page was in fact a deposit fee. In addition, as stated in terms of service, the buyer of a given device for the period of rent could not sell the it or interfere with it in any way.

The store tempted


ZUS clients receive emails with information about incorrectly paid contributions. The Social Insurance Institution (ZUS) reminds that it does not send information on contribution settlements by e-mail to its clients.

According to ZUS, false correspondence is sent from following email addresses:
kancelaria.zus@wp.pl, zus-skladki@wp.pl, zus._kontakt@wp.pl, ZUS@gov.pl zus_info@wp.pl
The phishing campaign is targeting sensitive data such as number of the issued ID card or PESEL, as well as data for internet banking.

ZUS warns not to open such messages, much less to reply to them or open attachments included in correspondence.


Security experts from CERT warn of the increased number of phishing campaigns. The goal is to steal your electronic banking login credentials or install malware on your phone.

These are mainly SMS messages concerning surcharges for shipments from InPost, Polish Post and DHL or another campaign with SMS surcharges in OtoMoto website. In the case of OtoMoto users received text messages within minutes from posting classified.

One of the most recent campaigns is related to the tax settlement, where fraudsters impersonate the Tax Office. However, the most popular phishing campaign is the one informing users about surcharges for a shipment. Personalized text messages are also becoming more popular. By default, s


The insurance company Ergo hestia informed its clients about an unauthorized deletion of a database with one of its agents.

The above incident concerns an agent of Ergo Hestia - the company Unlink Inc., in which an unauthorized interference by the IT administrator was found, as result of which the auxiliary database with customer data was lost. Unlink Inc. is a multiagency serving clients of multiple insurance companies. It can therefore be presumed that the problem with the exposure of sensitive customer data also applies to other companies.

The scope of the lost database included customer data such as first and last name, home address, date of birth, gender, social security number, phone number and email

Thursday 20 February 2020, Safety Guide

Return of the Emotet Trojan - Wi-Fi network


A new variant of the Emotet Trojan has appeared and is spreading over Wi-Fi networks.

Trojan’s mutation can use the wlanAPI interface to spread onto devices connected to the given Wi-Fi network. Emotet has the ability to collect data on all wireless networks, and even worse, is able to jump from one Wi-Fi network to another.

According to the Komputer Świat portal, Emotet uses a brute-force attack to enter selected network, after which it attempts to guess the password and gain access to the system disk. Trojan can steal the victim’s personal data or install ransomware.

Remember that a good password is essential in such cases.


Cybersecurity company Trend Micro has made listed dangerous apps in the Google Play Store. The case concerns 9 applications that posed danger to the users of Android phones.

The purpose of the application was to speed up the phone, but users were actually exposed to hacking their Google and Facebook accounts. According to the Next portal, apps could download 3,000 different types of malware.

Applications were removed from the Google Play Store, users who had one of the following apps installed should scan their phone with an antivirus program:
•    com.boost.cpu.shootcleaner (Shoot Clean-Junk Cleaner, Phone Booster, CPU Cooler)


It could have been expected that cybercriminals would use the tex settlement period to attack internet users. CERT Poland warns against emails with malware related to the tax settlement.

Hackers impersonate the Ministry of Finance in emails. The attack is aimed at people who use the possibility of settlement by the tax office.

Hackers inform their potential victims about sending the PIT-28 declaration and urge them to download the so-called UPO (official confirmation of receipt). UPO is then sent in a .pdf format, which contains a VBS script that launches the download of BrushaLoader malware. Next, ISFB/UR type malware is installed. Malware steals system information and attempts to steal credentials for el


85,000 files, including 30,000 sensitive records of pharmacy’s client information, leaked from an unsecure Amazon S3 server of the THSuite platform. THSuite is responsible for the supply of pharmacies offering legal access to medicinal marijuana.

THSuite is an international records system for patients using legal cannabis.
In this case, there was no need for a hack to take place, since as a result of the mistake the data was made publicly available.

According to Dziennik Internautów data belongs to US patients, included in the leak were such details as phone numbers, e-mail addresses, dates of birth and customer’s insurance details.
The server was shut down in mid-January.

Thursday 6 February 2020, Safety Guide

Sale of Avast antivirus user data


PCMag and Vice conducted a journalistic investigation that uncovered the fact that the most popular manufacturer of free antivirus - Avast - trade data of its users.

Avast used Jumpshot to sell user click data. Jumpshot offers access to data from 100 million global users and 20 million application users. One could track Google searches, Google maps search history, YouTube videos, search data input for browser, Facebook and Instagram, Linkedin profiles, etc. Avast tries to defend itself with the fact that the data is anonymous, as it cannot be associated with a specific person. However, such accurate information as specific date, location and phrases entered into the search engine can be easily used to identify an individual.