CONTRAVENTION POUR STATIONNEMENT INTERDIT (2023-10-04)

Overview

Threat actors collecting personal and financial information using a myguichet.lu themed phishing website.

Explanation

Threat actors launched a sophisticated phishing campaign targeting users of the myguichet.lu portal. The phishing scheme follows a multi-step process to deceive and gather sensitive personal and financial information from the victims. Below is a detailed breakdown of the phishing campaign:

Initial Redirection:

  • The victim is redirected to a malicious landing page that is a counterfeit of the official myguichet.lu website.
  • This page displays a myguichet logo and a “Continuer” button to portray a sense of legitimacy and acquire the victim’s trust.

National Identification Inquiry:

  • Upon clicking “Continuer”, the victim is taken to a second page that requests their national identification number.

Fake Fine Notification:

  • The third page presents a fake fine invoice, due to alleged improper parking.

Personal Information Solicitation:

  • The fourth page requests detailed personal information including the victim’s name, family name, address, phone number, and date of birth.

Financial Information Phishing:

  • The fifth page solicits the victim’s credit card details under the guise of paying the fine.

False Confirmation:

  • A sixth page is presented, showing a confirmation text stating that the payment has been successfully executed.
  • Upon clicking “Finir”, the victim is redirected to the official myguichet.lu website, further obscuring the deceptive process.

Example

phishing_email landing_page creds_1 creds_2 creds_3 creds_4 creds_5 official_guichet_page


Prevention

If you are uncertain about the authenticity of an email, do not hesitate to contact the entity that seems to have sent you the email using a safe communication manner, using the phone for example (no phone number from the untrusted email must be used in order to verify the authenticity).
If you are working for the Luxembourgish government or are using any of the GOVCERT.LU services, it is important to forward phishing emails to us (using Reporting an incident or the Outlook button). This will allow us to take down phishing websites and protect members of our constituency.

Report an incident

If you wish to report an incident anonymously, please complete the PGP encrypted reporting form.

> Report
> More Information