The United Services Automobile Association, or USAA, is one of the largest financial institutions in the U.S. offering services to U.S. military personnel and their families. Like any financial institution, they are also exploited by cybercriminals in phishing campaigns. It’s so common, in fact, that our AppRiver security research team see these campaigns frequently. Our team has noticed a steady rise in spam blasts involving USAA in an attempt to defraud their customers. One such campaign is shown in the below screenshot.


This particular USAA phishing blast informs the recipient that a pending transaction requires an additional verification process. The email presents a link for the recipient to complete the transaction. Visually, the spoofed email looks just like a typical USAA message. During our investigation, however, we found several red flags that proved otherwise. The URL provided goes to an exploited website which at the time of this writing has been taken down. The email also contains the usual discrepancies found in many phishing campaigns like a rogue sending IP, spoofed sender address, etc. The email in question has also failed some of our SecureTide automated malware tests.

This campaign most likely seeks to obtain personal information from USAA customers for financial theft purposes. Multiple rules have been coded to block this variant and have currently caught around 3600 emails.

Just last week alone, we’ve seen over a handful of other USAA phishing blasts with various payloads. Below is a screenshot of another campaign that we began tracking last week.


This email also visually appears to be legitimate, but the grammatical errors within this message are suspicious. That, coupled with the usual phishing discrepancies and rogue URL, confirmed this also was a spam email. At the time of this article being written, SecureTide has quarantined 2700 emails. As always, AppRiver’s SecureTide customers are protected.


shutterstock_163066760It’s no secret that ransomware has been circulating at a fever pitch on the web as of late. Locky remains the most prolific despite the fact that new variants of ransomware being discovered with greater regularity. This morning we have been monitoring a campaign attempting to distribute Locky to millions of unsuspecting users. We have already quarantined over 3 million emails this morning associated with several different variations attempting to spread Locky. Lately, they seem to have taken a “less is more” approach to their attacks. Most messages have very little aside from some generic phrases along with an attachment, in this case a macro-enabled document. These are also being spoofed to appear to have come from a user at the same domain as the recipient and are posing as a scanned document.

The following is an example of this morning’s traffic:


Once infected, all of the users files are encrypted. This is followed shortly after by a prompt to pay the ransom. Though some current ransomware variants have corresponding tools online to help the victims decrypt their files, none seem to be a viable solution to this threat. A good backup strategy can save you from having to pay the ransom in these attacks. However, we have seen some recent ransomware variants such as CryptXXX that are also stealing the sensitive data in addition to encrypting and this is a trend that we expect to see continue in the future.

Here are a few steps you can take to limit the potential impact of ransomware

  • Maintain several robust layers of prevention
  • Consider banning macro-enabled files throughout your organization
  • No matter how innocuous a message may seem, never open an attachment in an unsolicited email –regular user training to improve
  • Keep regular hot and cold backups

This week’s Threat Thursday focuses on a phishing email blast that our AppRiver security research team is monitoring. The campaign attempts to impersonate a job notification email from, a job listing website.


The email informs the recipient that there is an exciting job opportunity listed on and provides a link to view additional information. The URL redirects to a non-Monster website with the job listing. The listing is for a Mystery Shopper, someone who gets paid to shop at and provide reviews on local stores. The job states that a mystery shopper can receive compensation of $500 per assignment plus reimbursement for any items purchased during an assignment. The website has a form provided for the recipient to fill out in order to apply. This form is used to phish information, like social security numbers, from victims.


There’s not much to this phishing campaign. Both the email and website have a no-frills appearance to them and there wasn’t much variation between the sample messages we came across. We did note several inconsistencies during our brief investigation of this campaign including the sending SMTP server, URL, email formatting etc. Our SecureTide spam filter has quarantined around 4,000 of these messages and will continue to monitor for new variants.

With the imminent release of the iPhone 7, consumers and media outlets alike have been casting their predictions on what’s in store for Apple’s latest smartphone. Rumors and unverified “leaked” images of the mobile device continue to circulate on the Internet. It’s no wonder that cybercriminals seek to take advantage of this golden opportunity by offering consumers a “free iPhone 7.”


This week’s Threat Thursday takes a look at a recent spam campaign featuring Apple’s iPhone 7. The campaign attempts to sell itself as a product test invite for the latest smartphone device. The recipient receives an email offering a chance to test drive a new iPhone 7. Curiously, the email informs the recipient that around 50,000 users will be allowed to test the device in a random lottery-like selection. The email instructs the user to click on the provided link to answer a short survey in order to qualify. And of course, a fake iPhone 7 product test offer wouldn’t be complete without an unofficial photo of the device itself as seen in the screenshot above.

It shouldn’t take too much to spot this as spam. For starters, Apple is known to be very tight-lipped with unreleased products and services. It would be huge change in direction for them to: a) do a mass product test of a new iPhone device, and b) announce such a test via an email blast. We also noticed some irregularities with the email’s source IP, from address and subject line. Coupled with several grammatical errors in the email and you have a not-so-convincing spam email. Better luck next time for these cybercriminals.

AppRiver’s SecureTide engine has several rules in place actively blocking this campaign from reaching our clients. So far over 7,300 emails have been caught and quarantined.


Hurricane season is among us in the southeastern United States. With email being such an essential part of business, you can’t afford for your mail server to go offline–even if it was because of a catastrophic storm. Even if you don’t live in area that is in threat to many natural disasters, power outages and routine server maintenance can leave you without mail. With Email Continuity Service from AppRiver, your email stays within reach at all times from any device, regardless of what happens in the world around you.


With ECS, your mail first passes through our SecureTide spam and virus filters to protect your network, and then delivered to your server. The process is instantaneous, and a copy of your email is stored on the ECS server for 30 days. So whether a disaster happens–or a power outage thanks to your neighbor flying his drone flying into a power line–email is still available from the past month. Additionally, AppRiver will store your new inbound messages so your customers don’t receive any bounced messages while your server is offline–and you can access these messages from any device.

Ready to start your free 30 day trial of ECS? Visit to learn more.