We recently encountered certain phish pages targeting the United Services Automobile Association (USAA), a Fortune 500 financial company that offers banking, investing, and insurance to US Military soldiers and their families.

Here is what the fake page looks like:

Default page of fake USAA siteclick to enlarge

It’s highly likely that the URL came from a phishing email; unfortunately, we were not able to get our hands on a sample of it.

Harvested data from whatever one puts under “Online ID” and “Password” are posted back to pin.php, according to the Fiddler finding below:

1st "POST"

Users are then led to this page:

Asks for PINclick to enlarge

 The PIN provided on this page gets posted back to question.php.

2nd "POST"

Clicking the “Next” button opens this page wherein users can supply their secret questions and their respective answers:

Questions and answersclick to enlarge

Data are posted to contact.php.

post-4th

Clicking “Next” opens the last page, which asks for more information that needs “updating”, including full name and date of birth:

more-infoclick to enlarge

Details entered here are then posted back to action.php.

post-4th

Users are then shown the door by redirecting them to the legitimate USAA page one sees when they log out (screenshot below).

A real USAA "log off" pageclick to enlarge

Thankfully, Google Chrome already blocks the aforementioned .biz domain.

With a little more digging, we found that the email associated with the domain usaacoustomersupport(dot)biz is also tied to the following domains, which we’ve already confirmed are inaccessible:

  • usaafdscewvrevre(dot)net
  • usaafewcrvrvrvr(dot)net
  • usaasasadsadsad(dot)net

We’ve also observed the following URL also tied to the same email address:

Fake USAA page hosted on a fake AOL pageclick to enlarge

We’ve also seen other USAA phish pages in circulation such as this example on Phishtank, which appears to have been hosted on a hacked website and has since been taken down (Note: This is unrelated to the pages covered in this blog entry).

USAA phishing scams are seen in the wild, but they’re not particularly common. Our friend, Kimberly, at StopMalvertising wrote a piece similar to this phishing campaign she found in February of this year. Several months later, Oklahoma-based news outlet, KJRH, has reported a similar occurrence.

In case you receive emails claiming to be from USAA, please note that they do not send out emails to their clients, or to anyone for that matter, asking for their information.

Here is a short list of tips to help you steer clear of USAA phishing attempts:

  • Remain aware of phishing cases involving USAA. It’s also good to have their contact details handy in the event of fraud or account compromise.
  • The legitimate USAA website, www.usaa.com, is a verified domain. As such, look for the green box beside its URL on the browser address bar. This site also uses SSL encryption, which means that it uses the https protocol, making it safe to access even over public networks.
  • Ensure that the anti-phishing feature of your Internet browser is enabled. Do this for your antivirus software as well.

Jovi Umawing (Thanks to Chris for the assist)