We recently encountered certain phish pages targeting the United Services Automobile Association (USAA), a Fortune 500 financial company that offers banking, investing, and insurance to US Military soldiers and their families.
Here is what the fake page looks like:
Harvested data from whatever one puts under "Online ID" and "Password" are posted back to pin.php, according to the Fiddler finding below:
Users are then led to this page:
Clicking the "Next" button opens this page wherein users can supply their secret questions and their respective answers:
Clicking "Next" opens the last page, which asks for more information that needs "updating", including full name and date of birth:
Users are then shown the door by redirecting them to the legitimate USAA page one sees when they log out (screenshot below).blocks the aforementioned .biz domain.
With a little more digging, we found that the email associated with the domain usaacoustomersupport(dot)biz is also tied to the following domains, which we've already confirmed are inaccessible:
USAA phishing scams are seen in the wild, but they're not particularly common. Our friend, Kimberly, at StopMalvertising wrote a piece similar to this phishing campaign she found in February of this year. Several months later, Oklahoma-based news outlet, KJRH, has reported a similar occurrence.
In case you receive emails claiming to be from USAA, please note that they do not send out emails to their clients, or to anyone for that matter, asking for their information.
Here is a short list of tips to help you steer clear of USAA phishing attempts:
- Remain aware of phishing cases involving USAA. It's also good to have their contact details handy in the event of fraud or account compromise.
- The legitimate USAA website, www.usaa.com, is a verified domain. As such, look for the green box beside its URL on the browser address bar. This site also uses SSL encryption, which means that it uses the https protocol, making it safe to access even over public networks.
- Ensure that the anti-phishing feature of your Internet browser is enabled. Do this for your antivirus software as well.