We have been seeing a wave of USAA Phish in the last few months. All of the hooks are similar i.e. “suspicious activity detected on your account please login”, “Update your records”etc. The emails have all contained a PDF attachment with a link to credential harvesting site. In this example we have a PDF attachment prompting user to get a online document.
Subject: Suspicious Activity Detected
Malicious Domain: aryasanatco.ir
Malicious URI: /cache/mon.html
Attachment: UPDATE SERVICE.pdf
Hovering over the link in the email exposes the credential harvesting site aryasanatco[.]ir/cache/mon.html.
- Always hover over links to see the actual URL
- Avoid the temptation of clicking links on phones. Hackers take advantage of those small screens.