USAA Phishing scam linked to 1500 domains
by Steve Ragan - Nov 2 2010, 19:40Security specialist AppRiver is warning users that a Phishing scam, targeting members of the U.S. Armed Forces and their families, has surfaced in the guise of a notification from the United Services Automobile Association (USAA). AppRiver has called the attack one of the more intricate and widespread campaigns it has seen in some time.
For years, military personnel (active and former) and their families have used the United Services Automobile Association and subsidiaries like USAA Financial Planning Services, to manage insurance, banking, and other financial needs.
The latest Phishing attack noticed by AppRiver isn’t the first one to target USAA members. As was the case with previous attacks, this latest vector attempts to steal personal information and money. The emails are delivered carrying subjects related to security alerts and urgent messages, but they’re junk according to AppRiver and the USAA. In short, any and all suspect messages should be deleted or reported to abuse@usaa.com.
A link in the newest wave of Phishing attempts will direct the potential victim to a form that asks for USAA account details, including USAA card numbers, PIN, and other related security codes. This is in addition to personal information such as birth name and online banking identification. The website and the form itself represent a near perfect mirror of the legitimate USAA site, making it difficult for the untrained eye to distinguish it from the real thing.
However, according to the USAA, users can spot a fake version of the site by looking at the address bar for a visual cue.
“Valid USAA websites use Extended Validation (EV) certificates which are an authentication method that turns the Web address bar green, helping you to establish you are visiting a legitimate website,” it outlines.
In addition, although the email includes an official USAA logo and appears to originate from the USAA itself, the association maintains that it “will not ask for any personal or account information, including PINs or passwords, in an e-mail.”
Like other financial institutions, if the USAA were to make changes or need information from its customers, it would contact them directly via postal mail or telephone.
“Although we do see Phishing attempts directed at USAA members among hundreds of other financial firms on a regular basis, this is one of the more intricate and widespread Phishing campaigns that we have seen in quite some time,” the AppRiver alert noted.
“Each unique domain is serving up a complete fake USAA website. At this time we are monitoring (and blocking) over 1500 unique domains that are all registered with the free .tk (tld).”
Update:
M86 notes that it has started seeing these dodgy USAA emails as well. It makes mention that the mails are being pushed by Cutwail, which is the spamming component installed by the Pushdo botnet.
"We have not seen one of these large scale phishing campaigns from Cutwail for some time, as the cybercriminals switched to spamming out links to the data-stealing Zeus malware," it noted.
"With the recent high profile arrests of several Zeus perpetrators, and all the subsequent public attention on Zeus, maybe phishing, where you politely ask for data instead of stealing it, will come back in fashion?"
Comment on this Story