Cybercriminals organized a phishing campaign targeted at clients of two mobile networks. CERT Poland warns against fraudsters impersonating Play and Orange.

Scammers send emails with an attachment that is supposed to be the invoice for mobile services. The message itself contains a summary of the invoice, i.e. the invoice number, date of issue and invoice payment date. Cybercriminals have not forgotten to provide the correspondence address, and in the case of an invoice from Play they included a note, which the victim can use to manually check the authenticity of the invoice in the Play application.

The attachment is in .xlsm format and contains the well-known DanaBot banking Trojan, which is then used to steal funds from the victim’s bank account.

According to CERT Orange Poland, customers of Orange network are exposing themselves to losing funds from their account by clicking on the link included in the email and providing the debit card number. The content of the email messages relates to alleged problems with payment for Orange services.