SlashNext Labs SlashNext Labs

USAA Zero-Day Phishing Attack

December 15th 2017

USAA Zero-Day Phishing Attack

Phishing is a form of fraud attack based on social engineering techniques to steal confidential and personally identifiable information such as login credentials, credit card number, Social Security number, PIN, etc. While there are many phishing tactics, one of the simplest and most common methodologies is to simply scrape and clone the web pages of well-known websites. These could be actual public-facing websites or, even more dangerous, a cloned site masquerading as a corporate portal or intranet site. In either case, these web pages may either be hosted on legitimate (but compromised) web servers or on infrastructure owned and controlled by the attacker(s).

Phishing emails, another simple and common method to lure in targets, are designed impersonate a trusted organization, and provoke the target into clicking on a malicious link or an attachment without causing suspicion. Well-crafted emails create a sense of urgency, causing the recipient to act quickly without thinking.

When the target opens an attachment or link, a phishing page is displayed. If the victim is tricked by that phishing page and enters confidential or personal information, which the attacker will either use themselves or sell on the dark web.

What your employees need to know:

SlashNext spotted a phishing attack in which the attacker impersonated the United Services Automobile Association (USAA), a well-known consumer insurance and travel company, and specifically the USAA’s “My Account” page. The form attempts to gather your Online ID, password, PIN, USAA number, email and some security questions.

What your IT/Security team needs to know:

The major change between the actual page and phishing page is the action URL where the form data will be submitted.

In the above URL, hostname harisma[.]biz is a legitimate Ukrainian footwear website hosted in the Ukraine on a compromised web server. Once a victim enters their account information and clicks the “Submit” button, all information is sent over to a Command & Control domain through a web form in plain text:

This information is transferred to the attacker and the page is redirected to the URL referenced in the Location parameter (as highlighted in the above image).

An interesting note:

The URL was scanned on Virustotal, a Google-owned public site that aggregates output from over 60 URL characterization tools, long after it was detected by SlashNext. After two days, no other detection platform had detected this malicious URL. Even now, only one other provider can identify this as a malicious URL.