Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Sunday, 17 January 2010

USAA Bank latest Avalanche Scam

Posted on 16:26 by Unknown
Another major spam campaign has been seen in the "avalanche" group. This one seems to be a "phishing only" spam, as opposed to recent versions that also infect with malware. We've seen more than 5,000 copies of the email in the UAB Spam Data Mine today.

The emails look like this:



We've seen 95 base subject lines:

account notification: security alert
automatic notification
automatic reminder
Customer notification
Enhanced online security measures
Important alert
Important announce
Important banking mail from USAA
important banking mail
Important information
important instructions
important notice from USAA
Important notification from USAA
important notification
Important security alert from USAA
important security update
important USAA mail
information from USAA customer service team
information from USAA customer service
Instructions for customer
instructions for our customers
instructions for USAA customer
instructions for USAA customers
instructions from customer service team
instructions from customer service
message from customer service team
message from customer service
New enhanced online security measures
New online security measures
New security measures
new security notification
new USAA form released
New USAA form
notification from USAA
notification
official information
official update
online banking alert
Our enhanced online security measures
our new security measures
safeguarding customer information
scheduled security maintenance
Security alert
security issues
Security maintenance
security measures
Service message from USAA
service message
service notification from USAA
software updating
Urgent message for USAA customer
Urgent message from USAA
Urgent notification from customer service
urgent notification
Urgent security notification
USAA customer service informs you
USAA customer service team informs you
USAA customer service: account notification
USAA customer service: important information
USAA customer service: important message
USAA customer service: important notification
USAA customer service: important security update
USAA customer service: instructions for customer
USAA customer service: new online form released
USAA customer service: notification
USAA customer service: official information
USAA customer service: official update
USAA customer service: security alert
USAA customer service: security issues
USAA customer service: service message
USAA customer service: urgent notification
USAA notification
USAA online form
USAA reminder: notification
USAA reminder: online form
USAA reminder: please complete online form
USAA security upgrade
USAA: alert - online form released
USAA: customer alert
USAA: important announce
USAA: important information
USAA: important message
USAA: important notification
USAA: important security update
USAA: instructions for customer
USAA: notification
USAA: online form released
USAA: security alert
USAA: security issues
USAA: service message
USAA: software updating
USAA: urgent message
USAA: urgent notification
USAA: urgent security notification
we have released new version of USAA form

The subject lines are uniqued by adding either a Timestamp, a Message ID, a Reference Number. So, for example, the base subject "Account notification: security alert" was received with many patterns, including:

Account notification: security alert [message id: 6411033822]
Account notification: security alert [message id: 8829877625]
Account notification: security alert
account notification: security alert [message ref: 1976348562]
Account notification: security alert [message ref: 2573324226]
account notification: security alert [message ref: 2956755073]
account notification: security alert (message ref: 4790726101)
account notification: security alert
account notification: security alert (message ref: 7771108239)
account notification: security alert [message ref: 8030440576]
account notification: security alert Mon, 18 Jan 2010 00:11:54 +0100
account notification: security alert Mon, 18 Jan 2010 00:48:19 +0100
account notification: security alert Mon, 18 Jan 2010 09:30:38 +1000
Account notification: security alert - Ref No. 511853
Account notification: security alert Sun, 17 Jan 2010 14:14:28 -0300
Account notification: security alert Sun, 17 Jan 2010 14:18:53 -0300
account notification: security alert Sun, 17 Jan 2010 14:35:54 -0300
Account notification: security alert Sun, 17 Jan 2010 17:15:30 +0000

The actual website looks like this:



The URL contains:

/inet/ent_formversionnew/do_action.php?id=(bignumberhere)&email=(emailhere)

Websites we've seen used in spam today (Jan 17) include:

www.usaa.com.12asze.com.pl
www.usaa.com.12aszg.com.pl
www.usaa.com.12aszh.com.pl
www.usaa.com.12aszi.com.pl
www.usaa.com.12aszj.com.pl
www.usaa.com.12aszk.com.pl
www.usaa.com.12aszl.com.pl
www.usaa.com.12aszo.com.pl
www.usaa.com.12aszp.com.pl
www.usaa.com.12aszq.com.pl
www.usaa.com.12aszr.com.pl
www.usaa.com.12aszt.com.pl
www.usaa.com.12aszu.com.pl
www.usaa.com.12aszw.com.pl
www.usaa.com.12aszy.com.pl
www.usaa.com.eee1sa0.com.pl
www.usaa.com.eee1sa1.com.pl
www.usaa.com.eee1sa2.com.pl
www.usaa.com.eee1sa3.com.pl
www.usaa.com.eee1sa4.com.pl
www.usaa.com.eee1sa5.com.pl
www.usaa.com.eee1sa6.com.pl
www.usaa.com.eee1sa7.com.pl
www.usaa.com.eee1sa8.com.pl
www.usaa.com.eee1sa9.com.pl
www.usaa.com.eee1sae.com.pl
www.usaa.com.eee1saq.com.pl
www.usaa.com.eee1sar.com.pl
www.usaa.com.eee1sat.com.pl
www.usaa.com.eee1saw.com.pl
Email ThisBlogThis!Share to XShare to Facebook
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Happy New Year! Here's a Virus! (New Year's Postcard malware)
    I've been busy this week looking at the various defacements (see ComputerWorld , and ABC News ) and other cyber attacks (see yesterday...
  • From Russia, With Love . . . new Postcard spam spies on your PC
    Isn't it nice to have friends who send you postcards? The UAB Spam Data Mine is especially fortunate in that way. Beginning the evenin...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • Tempting Photo Attachments Lead to Fake AV
    One of today's largest malicious spam campaigns continued an occasional theme we've been seeing for a few weeks. A subject line, fo...
  • What about the Social Security Numbers? (The Utah Data Breach and your SSN)
    The Utah Data Breach This week the continuing saga of the Utah Medicaid Data Breach continued to unfold. If you haven't been following...
  • Stop the Rumors: Quit SMSing about WalMart Gang Initiations
    My daughter and her teenage friend were sitting on the couch watching TV today when they began getting text messages on their phone. Here...
  • Minipost: IPR Center celebrates Cyber Monday
    The National Intellectual Property Rights Center (IPR Center) announced today that in celebration of Cyber Monday, they have Seized 82 Domai...
  • ACH Spammer switches to Shortened URLs
    For many weeks now the spammers behind one particular malware family have been fighting a running battle to keep their malware-hosting domai...
  • Work at Home . . . for a Criminal?
    How do you tell if a "Work at Home" invitation is a scam? Here's a clue: It comes in your email. In today's Blog, I tho...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ▼  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ▼  January (7)
      • Minipost: VISA Zeus
      • American Bankers Association version of Zeus Bot /...
      • AOL Update spreads Zeus / Zbot
      • Sendspace Zbot spreader a Flashback to Dec 15-20
      • USAA Bank latest Avalanche Scam
      • Minipost: #CNIRcyberwar ? ? ?
      • Iranian Cyber Army returns - target: Baidu.com
  • ►  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ►  2008 (101)
    • ►  December (7)
    • ►  November (17)
    • ►  October (11)
    • ►  September (10)
    • ►  August (22)
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile