Wednesday, May 21, 2014

Anatomy of a phish

As an aside, USAA is aware of several phishing campaigns and has warned members against this type of attack for several months. It's not new, and USAA has taken steps to inform members. My intent is to go deeper into what the attacker is trying to do, show how they do it, and to show that it can be difficult or impossible to know you are being scammed if you ignore the early warning signs..

Today I received an email purporting to be from USAA, stating that I had a new message waiting for me in the secure message center. I and others in my family do in fact have business with USAA, so it is not unexpected to receive correspondence from them - and so this particular phishing attempt was of interest to me. The format of the email even closely resembled the way USAA formatted such messages several years ago (though they have since changed the format to be harder to replicate without knowing some additional things about the member).

There were a few red flags however. The first was that the format did not match that of authentic messages I have received lately. I won't reproduce an authentic message here because while it is easy enough to find, I don't want to help someone improve a phish. 

The next flag was the email address.  My email client showed the complete email address instead of just the title, so the fraudulent domain was obvious, but in other clients you may have to hover over the address to see the expanded full email. Keep in mind that it is quite easy to spoof an address - it is in essence a postal envelope, with no guarantee that the sender wrote their actual address in the return field. But in this case it's a dead giveaway.

The third flag is the link in the message. The genuine USAA domain is, not Note how the scammer was kind enough to use https - it's secure! Right. I can securely connect to them without fear that some other scammer is eavesdropping. This one was relatively easy to detect, but the phisher could have chosen a character that more closely resembled a "dot." In fact, with multilingual domain name support beginning about 10 years ago, an attack known as an "IDN Homograph Attack" using visually identical characters from another character set, you could not tell by looking that it was a fraudulent link. Hence the recommendation to TYPE the known link into your browser instead of clicking a link in email. 

But that's all fairly straightforward. I was curious about what the attacker was after. Not curious enough to click the link from my main computer, but curious enough to poke around. First stop: use wget (a command-line "browser" that only retrieves the web page but cannot display or run anything). The DNS record for had already been taken down, so I had to look at some historical DNS to find the IP address, and then run my wget query with that. After inspecting the downloaded content, it had no malware nor any executable content - it was simply a spoofed message inviting me to improve my bank security, so I then rendered it in a browser on a virtual machine:

Oddly, every single link pointed to - even the obligatory "contact us / unsubscribe / change your email" links at the bottom (not shown above). Surely the attacker doesn't want me to click that link, do they? Another red flag :-)

Following the same process to download and inspect the contents of that link, again no malware but this time the end result is a disturbingly convincing login page for what appears to be It is disturbingly convincing because it is an exact replica, even loading images and formatting scripts from the genuine site. Only the submit handler is changed.

Filling out the username and password (with bogus values of course) brings up an accurate replica of the PIN entry page:

This is followed by a page asking for my "security questions"

After going through the entire process (again, with bogus information), I am finally deposited onto the logout page at the authentic USAA web site. If I did not know better, I might assume I has successfully added a layer of security to my bank account and then logged out, when in fact I have just given an attacker everything they need to defraud me (with one very strong caveat: two factor authentication, which I do have enabled, defeats this. Had I been fooled, the attacker would have my login information, but would still be unable to complete the 2FA verification).

The moral? Scammers are very good at mimicking the genuine article. If you don't pay attention to red flags at the beginning, there may be no more warnings that you are falling into a trap.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at), or hit me up on Twitter at @dnlongen