The United Services Automobile Association, or USAA, is one of the largest financial institutions in the U.S. offering services to U.S. military personnel and their families. Like any financial institution, they are also exploited by cybercriminals in phishing campaigns. It’s so common, in fact, that our AppRiver security research team see these campaigns frequently. Our team has noticed a steady rise in spam blasts involving USAA in an attempt to defraud their customers. One such campaign is shown in the below screenshot.
This particular USAA phishing blast informs the recipient that a pending transaction requires an additional verification process. The email presents a link for the recipient to complete the transaction. Visually, the spoofed email looks just like a typical USAA message. During our investigation, however, we found several red flags that proved otherwise. The URL provided goes to an exploited website which at the time of this writing has been taken down. The email also contains the usual discrepancies found in many phishing campaigns like a rogue sending IP, spoofed sender address, etc. The email in question has also failed some of our SecureTide automated malware tests.
This campaign most likely seeks to obtain personal information from USAA customers for financial theft purposes. Multiple rules have been coded to block this variant and have currently caught around 3600 emails.
Just last week alone, we’ve seen over a handful of other USAA phishing blasts with various payloads. Below is a screenshot of another campaign that we began tracking last week.
This email also visually appears to be legitimate, but the grammatical errors within this message are suspicious. That, coupled with the usual phishing discrepancies and rogue URL, confirmed this also was a spam email. At the time of this article being written, SecureTide has quarantined 2700 emails. As always, AppRiver’s SecureTide customers are protected.