Week 40: Classifieds phishing – shifting from links to malware

Languages

Service navigation

Search

Navigation

Week 40: Classifieds phishing – shifting from links to malware

07.10.2025 - Exercise caution when selling things online. A well-known scam involving classified ad platforms has taken a dangerous turn: in addition to using phishing websites to harvest credit card details, criminals are now trying to trick victims into installing malware. Info stealer malware captures not just individual login credentials, but all passwords, financial details, and personal data stored on the computer. This week's review examines this new tactic and explains how you can protect yourself.

Scams on classifieds platforms are an ongoing threat. Until now, attacks have usually followed a familiar pattern: an alleged buyer contacts the seller, quickly moves the conversation to WhatsApp and sends a link or QR code leading to a fake PostFinance or payment provider website. The website states that the seller will receive the money if they 'confirm' the payment. This is classic phishing: scammers are harvesting credit card details or e-banking credentials. However, recent incidents show a worrying escalation of this method. If the initial phishing attempt fails, attackers now try to trick victims into installing malware. This tactical shift is a response to growing public awareness of phishing links. As people get better at spotting suspicious web addresses, criminals are shifting their focus to new attack methods – in this case, tricking people into opening what looks like a harmless document.

Analysis of a recent case

The new approach is illustrated in detail by a case reported to the NCSC.

Phase 1: Initial contact and trust building
Shortly after posting an advert, the seller is contacted by a potential buyer who asks them to continue the conversation on WhatsApp. They use a Swiss mobile number to make the seller believe they are local and legitimate.

Phase 2: The first hook – a fake payment confirmation
At first, the attackers use a familiar trick: they send a PDF made to look like an official PostFinance invoice. The PDF contains a QR code.

Classic phishing: The buyer sends the seller an alleged payment confirmation from PostFinance.
Classic phishing: The buyer sends the seller an alleged payment confirmation from PostFinance.

Phase 3: Escalation to malware
If the seller does not respond to the initial trick, the real attack begins. The attackers send the victim a ZIP file called 'twint-rechnung.zip',  again using the name of a well-known and trustworthy service to put the victim at ease.

Phase 4: Psychological manipulation (social engineering)
At the same time as sending the file, the attackers apply heavy psychological pressure. Messages such as 'Please check this immediately' create a sense of urgency designed to prompt rash action. Crucially, the attackers instruct victims to open the file on a computer, claiming that the format will not work on a phone. This isn't helpful advice but a deliberate ploy: the malware is designed to harvest passwords, cookies and financial data stored in a browser profile on a computer. It doesn't work on mobile devices – it was designed for Windows – so the attackers deliberately push victims into the environment that suits the attackers best and leaves the victims most exposed.

The buyer sends the malware in a ZIP file and applies pressure to the seller.
The buyer sends the malware in a ZIP file and applies pressure to the seller.

What are info stealers?

The malware hidden in the ZIP file is an info stealer. This type of malware is designed to quickly and secretly collect sensitive information from a victim's computer and send it to a server controlled by the attackers. Unlike classic phishing, which only captures details entered on a website (such as credit card numbers, usernames and passwords), info stealers cause far greater damage because they target the following:

  • Stored login data (i.e. usernames and passwords) from all installed web browsers.
  • Financial information and credit card details.
  • Session cookies that allow attackers to log into the victim's online accounts without a password.
  • Cyptocurrency wallet information.
  • Personal documents and system information.

Recommendations

  • Be suspicious of all unsolicited files:
    Treat any file sent to you by a supposed buyer as potentially malicious. Never open attachments to confirm a payment.
  • As the seller, you set the rules:
    Stick to your preferred secure payment method. Do not agree to complicated processes involving clicking on links or downloading files. You never need to enter your credit card details or confirm a code to receive money.
  • Check payments only through your bank's official app or online portal:
    The only valid proof of payment is money appearing in your official bank or TWINT account. Do not trust screenshots, PDFs or emails as confirmation.
  • Keep your systems up to date:
    Ensure that your operating system, web browser and antivirus software are always up to date. Current security software can detect and block many known info stealers.
  • What should you do if you suspect an infection?
    If you think you may have opened a malicious file, disconnect your computer from the internet immediately. Using another secure device (e.g. your smartphone), change all important passwords immediately (e.g. your email, online banking, social media). Report the incident to the NCSC and file a police report. You can find your nearest police station on the Suisse ePolice website (available in German, French and Italian).

Last modification 07.10.2025

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/aktuell/im-fokus/2025/wochenrueckblick_40.html