Monday, November 01, 2010

USAA Phish: Avalanche uses many "redirectors"

A hard-hitting phishing campaign is trying to steal login credentials from the customers of USAA bank. Reports from all over are indicating the emails slide right through spam filters.

The emails look like this:



Dear USAA Customer,
We would like to inform you that we have released a new version of USAA Confirmation Form. This form is required to be completed by all USAA customers. Please use the button below in order to access the form.


Although the spam is coming from all over the world, of 309 computers which have sent a copy of this spam to the UAB Spam Data Mine so far, 77 of them are in Russia, 40 in Ukraine, 29 in India, 18 in Brazil, and 12 in Belarus. The single largest sending ISP is URKTelecom in Ukraine.



There are several reasons for thesuccess. First, the phisher is using an unusually wide variety of spam subject lines, such as:


account notification: security alert Mon, 1 Nov 2010 22:29:32 +0300
Automatic notification
Automatic reminder
Automatic reminder
Enhanced online security measures
Enhanced online security measures [message ref: 3986632685]
Important alert [message ref: 8656525645]
Important alert Mon, 1 Nov 2010 22:10:09 +0200
important announce
important banking mail from USAA - Ref No. 911592
important instructions
Important security alert from USAA Mon, 1 Nov 2010 22:27:09 +0530
Important security update - Ref No. 867527
information from USAA customer service
information from USAA customer service team Mon, 1 Nov 2010 22:08:41 +0200
instructions for customer
instructions for our customers
Instructions for USAA customer
instructions from customer service team
Message from customer service Mon, 1 Nov 2010 09:45:22 -0800
message from customer service team (message ref: 5833415494)
new online security measures
new online security measures
new online security measures
New security measures Mon, 1 Nov 2010 20:15:10 +0100
new USAA form
new USAA form released
Notification
Official update
official update (message ref: 1785474186)
safeguarding customer information
scheduled security maintenance
Security alert
security alert
Security maintenance - Ref No. 390744
Service message from USAA
Service message Mon, 1 Nov 2010 22:47:50 +0500
Service notification from USAA
Software updating [message ref: 3352139151]
urgent message for USAA customer
urgent message from USAA Mon, 1 Nov 2010 11:38:23 -0800
urgent notification from customer service
urgent notification from customer service (message ref: 4130612339)
Urgent notification from customer service Mon, 1 Nov 2010 20:03:03 +0200
USAA customer service informs you
USAA customer service: account notification (message ref: 1265140610)
USAA customer service: account notification Mon, 1 Nov 2010 15:55:27 -0300
USAA customer service: important notification
USAA customer service: important security update
USAA customer service: instructions for customer
USAA customer service: instructions for customer
USAA customer service: instructions for customer Tue, 2 Nov 2010 01:34:18 +0530
USAA customer service: new online form released
USAA customer service: official information
USAA customer service: official update
USAA customer service: security alert
USAA customer service: security issues
USAA notification (message ref: 6543359729)
USAA online form (message ref: 8649844530)
USAA reminder: notification
USAA: customer alert
USAA: customer alert Mon, 1 Nov 2010 19:30:31 +0300
USAA: customer alert Mon, 1 Nov 2010 19:31:52 +0300
USAA: important announce (message id: 5905706704)
USAA: important announce
USAA: important information
USAA: important message
USAA: important message (message id: 8210883971)
USAA: important notification
USAA: important security update
USAA: notification Mon, 1 Nov 2010 22:39:46 +0300
USAA: security alert (message ref: 7918345647)
USAA: service message
USAA: service message
USAA: service message
USAA: service message Mon, 1 Nov 2010 20:18:41 +0300
USAA: urgent message Mon, 1 Nov 2010 20:58:50 +0300
USAA: urgent notification Mon, 1 Nov 2010 19:52:51 +0100
USAA: urgent security notification (message ref: 8157388415)


But the phisher is also not placing a direct link to his criminal website in any of the emails. Instead we have seen more than 200 URLs which used the "bit.ly" URL shortening service. Other URL shortening services deployed by this phisher include migre.me, thesurl.com, tinyurl.com, and j.mp. In addition to these traditional shorteners, the criminal has also created at least 290 "free" .tk domains using the service to create realistic looking domain names to redirect to their phishing site.

The actual phishing site looks like this:



The "CARDHOLDER FORM" is actually hosted on randomly generated hostnames on the domain name "vsdfile.ru". Some examples of the random domains would be:

session1007435456.usaa.com.vsdfile.ru

the path "inet/ent_chform/" is used on that server, regardless of the random numbers in the "session" portion of the URL.

The webserver seems to be fastflux hosted. We've seen the domain resolve to:

24.115.37.183 = PenTeleData - (Pennsylvania)

24.177.87.49 = Charter Communications - this IP has also hosted pill spam domains, such as xxpillsx.com, xxmedx.com, and approved-cvs-drugs.com

24.178.114.105 = Charter Communications (Georgia) (also hosting fastflux domains mtr5.com, mjp9.com, and qettt.com)

24.224.34.92 = CMA Cablevision (Dallas, TX)
67.161.113.88 = Comcast Cable (Washington)
67.244.129.9 = Rochester NY rr.com
75.49.17.139 = AT&T
94.178.170.12 = Ukraine UKR Telecom
95.79.67.201 = Russian Federation
98.67.62.187 = Bellsouth.net Macon, Georgia
98.198.202.128 = Comcast Cable (Texas)
170.51.59.219 = Paraguay
173.22.138.58 = MediaComBB.net
173.35.254.72 = Rogers Cable (Canada)
173.93.133.191 = Columbia, SC RR.com
174.57.49.182 = Comcast Cable
190.64.185.19 = Uruguay
190.209.140.81 = Chile
200.150.42.146 = Brazil

While almost none of the spam is coming from the US, almost all of the website addresses are in the US. That's because the spammers need fast sites that can resolve the webpages quickly for their US based victims, but the speed of their spam is irrelevant.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.