Registered Five Minutes Apart With a Rome Address: Inside a Russian-Speaking Actors Italian Banking Phishing Campaign

When @ShadowOpCode flagged phishing pages impersonating InBank and Intesa Sanpaolo -- two Italian financial institutions -- we expected a commodity phishing kit pointed at Italian users. What we found was a Russian-speaking actor using Italian registrant details, a shared Cloudflare account linking two campaigns definitively, a high-fidelity FattureWeb clone with stolen analytics configurations, and a compromised American ISP's WordPress site as a staging server.

Two Clusters, One Operator

The four phishing domains split into two infrastructure clusters that converge on a single operator:

Cluster A -- Banking (Cloudflare)

• loginportal-id75328983[.]com (InBank impersonation)
• auth-login-dashboard[.]com (Intesa Sanpaolo impersonation)

Both registered through Wild West Domains (GoDaddy reseller) five minutes apart with identical Rome, Italy registrant information. Both use the same Cloudflare nameserver pair (edward / galilea) -- confirming a single Cloudflare account.

Cluster B -- Invoice (Keyweb DE)

• fattureweb-sistem[.]digital (FattureWeb invoice platform clone)
• wilconetworks[.]net (compromised WordPress staging)

The FattureWeb clone sits on a Keyweb DE server in Germany. The staging path goes through a compromised WordPress installation at wilconetworks[.]net -- a legitimate American ISP operating since 2015 -- exploited via a vulnerable responsive-countdown plugin.

The Russian Connection

The operator's language leaked through an OPSEC failure. The domain dashboard-panel[.]online, found adjacent to the phishing infrastructure, redirects to Google with the HTML language attribute set to lang="ru" -- Russian. The adjacent IP 95.169.191[.]216 hosts mail.ru, bk.ru, and list.ru infrastructure, further confirming a Russian-speaking actor.

An Italian address on the domain registration. Russian in the browser configuration. This is a Russian-speaking operator using fabricated Italian registrant details to add geographic plausibility to their Italian-targeted campaigns.

The FattureWeb Clone

The Intesa Sanpaolo impersonation is basic. The FattureWeb clone is not.

At 23KB of HTML plus seven JavaScript files, it's a high-fidelity reproduction of the legitimate FattureWeb invoice management platform. The clone includes:

• Stolen Dynatrace RUM configuration -- the Real User Monitoring script from the legitimate site, copied verbatim, which would beacon to the real Dynatrace endpoint and potentially alert the legitimate site owner
• reCAPTCHA keys from the legitimate site
• A CSP nonce that Base64-decodes to the string "FATTURE WEB" -- the operator's signature embedded in a security header

The clone is designed to harvest credentials from Italian businesses that use FattureWeb for electronic invoicing -- a mandatory system in Italy since 2019.

Indicators of Compromise

Network Indicators

• loginportal-id75328983[.]com (InBank phishing)
• auth-login-dashboard[.]com (Intesa Sanpaolo phishing)
• fattureweb-sistem[.]digital (FattureWeb clone)
• wilconetworks[.]net/demo/wp-content/plugins/responsive-countdown/lib/ssl/ (compromised WP staging)
• dashboard-panel[.]online (operator infrastructure, Russian locale)
• Cloudflare NS pair: edward / galilea

Detection

Four YARA rules and ten Suricata signatures are available on our GitHub:

• STIX Bundle
• IOCs by investigation
• All YARA rules
• All Suricata rules
• Full IOC feed (JSON)

---

h/t @ShadowOpCode for the tips.