Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Sunday, 17 January 2010

USAA Bank latest Avalanche Scam

Posted on 16:26 by Unknown
Another major spam campaign has been seen in the "avalanche" group. This one seems to be a "phishing only" spam, as opposed to recent versions that also infect with malware. We've seen more than 5,000 copies of the email in the UAB Spam Data Mine today.

The emails look like this:



We've seen 95 base subject lines:

account notification: security alert
automatic notification
automatic reminder
Customer notification
Enhanced online security measures
Important alert
Important announce
Important banking mail from USAA
important banking mail
Important information
important instructions
important notice from USAA
Important notification from USAA
important notification
Important security alert from USAA
important security update
important USAA mail
information from USAA customer service team
information from USAA customer service
Instructions for customer
instructions for our customers
instructions for USAA customer
instructions for USAA customers
instructions from customer service team
instructions from customer service
message from customer service team
message from customer service
New enhanced online security measures
New online security measures
New security measures
new security notification
new USAA form released
New USAA form
notification from USAA
notification
official information
official update
online banking alert
Our enhanced online security measures
our new security measures
safeguarding customer information
scheduled security maintenance
Security alert
security issues
Security maintenance
security measures
Service message from USAA
service message
service notification from USAA
software updating
Urgent message for USAA customer
Urgent message from USAA
Urgent notification from customer service
urgent notification
Urgent security notification
USAA customer service informs you
USAA customer service team informs you
USAA customer service: account notification
USAA customer service: important information
USAA customer service: important message
USAA customer service: important notification
USAA customer service: important security update
USAA customer service: instructions for customer
USAA customer service: new online form released
USAA customer service: notification
USAA customer service: official information
USAA customer service: official update
USAA customer service: security alert
USAA customer service: security issues
USAA customer service: service message
USAA customer service: urgent notification
USAA notification
USAA online form
USAA reminder: notification
USAA reminder: online form
USAA reminder: please complete online form
USAA security upgrade
USAA: alert - online form released
USAA: customer alert
USAA: important announce
USAA: important information
USAA: important message
USAA: important notification
USAA: important security update
USAA: instructions for customer
USAA: notification
USAA: online form released
USAA: security alert
USAA: security issues
USAA: service message
USAA: software updating
USAA: urgent message
USAA: urgent notification
USAA: urgent security notification
we have released new version of USAA form

The subject lines are uniqued by adding either a Timestamp, a Message ID, a Reference Number. So, for example, the base subject "Account notification: security alert" was received with many patterns, including:

Account notification: security alert [message id: 6411033822]
Account notification: security alert [message id: 8829877625]
Account notification: security alert
account notification: security alert [message ref: 1976348562]
Account notification: security alert [message ref: 2573324226]
account notification: security alert [message ref: 2956755073]
account notification: security alert (message ref: 4790726101)
account notification: security alert
account notification: security alert (message ref: 7771108239)
account notification: security alert [message ref: 8030440576]
account notification: security alert Mon, 18 Jan 2010 00:11:54 +0100
account notification: security alert Mon, 18 Jan 2010 00:48:19 +0100
account notification: security alert Mon, 18 Jan 2010 09:30:38 +1000
Account notification: security alert - Ref No. 511853
Account notification: security alert Sun, 17 Jan 2010 14:14:28 -0300
Account notification: security alert Sun, 17 Jan 2010 14:18:53 -0300
account notification: security alert Sun, 17 Jan 2010 14:35:54 -0300
Account notification: security alert Sun, 17 Jan 2010 17:15:30 +0000

The actual website looks like this:



The URL contains:

/inet/ent_formversionnew/do_action.php?id=(bignumberhere)&email=(emailhere)

Websites we've seen used in spam today (Jan 17) include:

www.usaa.com.12asze.com.pl
www.usaa.com.12aszg.com.pl
www.usaa.com.12aszh.com.pl
www.usaa.com.12aszi.com.pl
www.usaa.com.12aszj.com.pl
www.usaa.com.12aszk.com.pl
www.usaa.com.12aszl.com.pl
www.usaa.com.12aszo.com.pl
www.usaa.com.12aszp.com.pl
www.usaa.com.12aszq.com.pl
www.usaa.com.12aszr.com.pl
www.usaa.com.12aszt.com.pl
www.usaa.com.12aszu.com.pl
www.usaa.com.12aszw.com.pl
www.usaa.com.12aszy.com.pl
www.usaa.com.eee1sa0.com.pl
www.usaa.com.eee1sa1.com.pl
www.usaa.com.eee1sa2.com.pl
www.usaa.com.eee1sa3.com.pl
www.usaa.com.eee1sa4.com.pl
www.usaa.com.eee1sa5.com.pl
www.usaa.com.eee1sa6.com.pl
www.usaa.com.eee1sa7.com.pl
www.usaa.com.eee1sa8.com.pl
www.usaa.com.eee1sa9.com.pl
www.usaa.com.eee1sae.com.pl
www.usaa.com.eee1saq.com.pl
www.usaa.com.eee1sar.com.pl
www.usaa.com.eee1sat.com.pl
www.usaa.com.eee1saw.com.pl
Email ThisBlogThis!Share to XShare to Facebook
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • 2009 Year in Review
    As 2009 comes to a close I wanted to take a minute to thank all of the people who have been helpful to this blog this year, and to share bac...
  • What about the Social Security Numbers? (The Utah Data Breach and your SSN)
    The Utah Data Breach This week the continuing saga of the Utah Medicaid Data Breach continued to unfold. If you haven't been following...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • Carder Christopher Schroebel gets Seven Years
    21 years old and thinking about Cybercrime as a career choice?  Think again.  Seattle-based U.S. Attorney Jenny Durkan told a press conferen...
  • Stop the Rumors: Quit SMSing about WalMart Gang Initiations
    My daughter and her teenage friend were sitting on the couch watching TV today when they began getting text messages on their phone. Here...
  • New BBC spam mocks Georgia's President, Spreads New Virus
    This morning we've received more than 300 copies of a new "BBC" spam campaign which mocks Georgia's President and spreads ...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Digital Certificates Update
    A quick update from the previous post. The Digital Certificates spam campaign against Merrill Lynch continues, but the good guys seem to be ...
  • ATM Cashers in 26 Countries steal $40M
    CBS News in New York has a video on their website this morning title Cyber-attacks behind possibly record-breaking bank heist . Former FBI ...
  • A New Year and Anti-Virus Products Are Still Losing
    One of our most popular blog posts in 2008 was back in August - Anti-Virus Products Still Fail on Fresh Viruses . I'm sad to report tha...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ▼  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ▼  January (7)
      • Minipost: VISA Zeus
      • American Bankers Association version of Zeus Bot /...
      • AOL Update spreads Zeus / Zbot
      • Sendspace Zbot spreader a Flashback to Dec 15-20
      • USAA Bank latest Avalanche Scam
      • Minipost: #CNIRcyberwar ? ? ?
      • Iranian Cyber Army returns - target: Baidu.com
  • ►  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ►  2008 (101)
    • ►  December (7)
    • ►  November (17)
    • ►  October (11)
    • ►  September (10)
    • ►  August (22)
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile