Sunday, November 14, 2010

USAA Credential Phishing

Security company M86 blogs about a sophisticated phishing attack targeting members of the USAA. Would you have spotted this attack?

Today we started seeing a new phishing campaign which is being sent by the Cutwail spambot, targeting customers of the United States Automobile Association (USAA). Cutwail is the spamming component installed by the Pushdo botnet. The phishing emails ask the recipient to fill out a ‘confirmation form’ which they can access by clicking on a link in the message.

To hide the URL of the phishing web page, these emails contain a link to one of several different URL shortening services such as which redirect the browser to the actual phishing page.

The link ‘Access USAA Confirmation Form’ in the spam email above points to http://bit . ly/agWGNG. When we tested this link, had already determined that there may be a problem with the URL it was redirecting to and displayed a warning page rather than redirecting us to the phishing page.

If we choose to ignore this warning and continue to the un-shortened URL, we end up at the page below, a phishing website aimed at stealing information from USAA members. This page, titled ‘Cardholder Form’, asks the user to provide information such as their online ID, password, name, card number, card security code and PIN. When the user clicks the submit button all of the details are sent to the criminals’ server and the users’ browser is redirected to the real USAA website.

For now, this phishing site, which is hosted on the domain vsdfile (dot) ru is not serving up any malicious content. The USAA provides a banking and credit card service which may be the intended target of these criminals once they have tricked a customer into divulging their cardholder details.

We have not seen one of these large scale phishing campaigns from Cutwail for some time, as the cybercriminals switched to spamming out links to the data-stealing Zeus malware. With the recent high profile arrests of several Zeus perpetrators, and all the subsequent public attention on Zeus, maybe phishing, where you politely ask for data instead of stealing it, will come back in fashion


Gabrielle Miller said...

I just want to start off by saying that I would have never spotted this attack. Before this class I would have given up my card number, PIN, and any other information required without much thought - I truly had no idea about the prevalence of cyber attacks and how easy it is to either become infected with malware or unknowingly give up personal information.

As ironic as this sounds, couldn't it be a good thing that cyber criminals have started to re-employ phishing as a tactic because of the crackdown on Zeus perpetrators? At least with phishing the user has to physically enter information in order for it to be stolen, unlike Zeus malware which unknowingly captures any useful personal credentials the user enters into their machine.

Even though I am still pretty ignorant about the complexity of these attacks, based on what we have learned in class, a phishing campaign scares me much less than does Zeus malware.

Olivia George said...

I agree that before this class I wouldn’t have thought twice about filling in my information. Obviously we all recognize the old phishing scams because they look “sketchy” or sound strange… but a scam like this would have fooled me because it looks pretty official. The only way I would think it was a scam now is because of the type of information requested (PIN number, for example).

Along the same lines, recently I was going to go to youtube, but I accidentally typed in “,” which then directs to a different web address and a survey with the youtube logo. Before this class I might have not looked at the URL, there’s a good chance I might have gone through the survey, thinking that it’s just youtube looking for feedback. However, since we’ve learned about the various web scams online, I immediately checked the URL to see if the site was legitimate or not…it clearly wasn’t. I x-ed out of the page and a box popped up asking me if I wanted to navigate away from that page (another sign that the site was clearly a scam of some kind). At this point, I just closed my browser just in case clicking on anything might compromise my machine. Who knows what the survey led to, but this class could have just saved me from a phishing scam (which eventually I probably would have realized for what it was) or worse.

Ian Kerr said...

Like others, I also would have never spotted this attack prior to taking this class. Although I now know that requests for certain information like PIN numbers should signal a phishing attack, the page presented to the victim appears so legitimate that it would very easy to give up this sensitive data just as a matter of instinct.

While I agree that other scams like that perpetrated by the Zeus group are particularly horrifying, I'm not sure that we can say which would be more desirable for criminals to use. Organizations engaged in phishing operations have become very adept at creating the semblance of legitimacy that I don't necessarily take comfort in the fact that I still have to enter the information myself. Either way, these two operations are likely to compromise many Americans regardless of the approach they take.

On a side note, seeing a form like this reminds me of the millions of Americans who have had their identities or personal information compromised. I can't say for sure whether I'm one of them, but the fact that I spent most of the Internet age with a false sense of security (up until this fall, really), it would be hard to argue that at least some of my personal data isn't floating around the Web somewhere.

Morgan Falzone said...

Like Ian said, phishing attacks have become so detailed in their attempts to appear legitimate, that many people fall for them. Except for the fact that the attack asked for sensitive information, I would never have suspected this was a scam. A fair amount of people have learned not give out sensitive information over the internet, but when the request comes from a trusted, official-looking site, many people end up giving out the information anyway - especially if the request came from an entity that could conceivably need you to verify your credit card and pin numbers, such as your bank.
Also, the age group of people owning debit/credit cards is getting younger and younger. It used to be that only adults would use them, but now many pre-teens are running around with debit/credit cards too. Younger kids are far more trusting in general and far more naïve when it comes to the internet than their adult counter-parts, so I could see them easily being taken in by a phishing scam. I think a lot more should be done to educate younger generations about cyber-threats.

Steve said...

Although the phishing site's URL is initially disguised via, it must redirect to a site that is, by definition, not the USAA's proper site.

This brings up the obvious idea that we should be habitually double-checking URLs. Recently, browser's have introduced features whereby the main part of the URL is highlighted, with the remainder slightly faded out.

Sure, this might be semi-helpful for people who know what to look for but it is something easily overlooked by many.

My thought is that Google likely has the capacity to employ algorithms to detect and classify e-mails like this as phishing. For example, an algorithm could easily flag the fact that an e-mail from a firm, company, etc. is employing or tinyurl. Next it could follow the URL, identify that it leads to a site that is not USAA's, red-flag the e-mail, etc.

This brings up it's own issues of Google's invasive-ness and of e-mail privacy, but we did give Google the right to read our GMail years ago, in order to serve up relevant ads.

Google can and should employ some sort of algorithm like the one described here. I think it would be well received by users, rather than stirring up any concerns over privacy.