14 DAY TRIAL // A new aggressive phishing campaign targets USAA customers via emails, that pose as important notifications from the financial services provider.
According to Gary Warner, director of research in Computer Forensics at the University of Alabama at Birmingham (UAB), the relatively sophisticated attack is the work of the Avalanche gang.
Avalanche is a notorious cybercriminal group, which was responsible for as much as two thirds of all phishing attacks recorded during the last half of 2009.
Even though recent information suggests that the gang is moving into the botnet business, it seems that it hasn't given up on phishing completely.
This latest operation targeting USAA, a company offering financial services to current and former military personnel and their families, uses a wide variety of subjects for the fake emails.
"USAA: important information", "USAA: important message", "USAA: service message", "USAA: urgent security notification", "Important security alert from USAA" and "Enhanced online security measures," are just a few examples.
"Dear USAA Customer, we would like to inform you that we have released a new version of USAA Confirmation Form.
"This form is required to be completed by all USAA customers. Please use the button below in order to access the form," the phishing messages read.
The button is called "Access USAA Confirmation Form," but does not lead to the phishing pages directly.
Instead, attackers use hundreds of redirect links, many of which are generated through URL shortening services, while others are free .tk domains.
The landing fake form pages are all hosted under the vsdfile.ru domain, but their URL varies and is of the form session[random_number].usaa.com.vsdfile.ru/inet/ent_chform/.
Furthermore, vsdfile.ru has fast flux hosting, meaning that it quickly switches between multiple IP addresses located in countries like US, Canada, Ukraine, Russia, Paraguay, Brazil, Uruguay, Chile and others.
All of these techniques try to make it harder for researchers to interfeer with the attack and for anti-spam filters to block the emails.
"Although the spam is coming from all over the world, of 309 computers which have sent a copy of this spam to the UAB Spam Data Mine so far, 77 of them are in Russia, 40 in Ukraine, 29 in India, 18 in Brazil, and 12 in Belarus. The single largest sending ISP is URKTelecom in Ukraine," Gary Warner notes.