Phish – Credential Harvester

We have been seeing a wave of USAA Phish in the last few months. All of the hooks are similar i.e. “suspicious activity detected on your account please login”, “Update your records”etc. The emails have all contained a PDF attachment with a link to credential harvesting site. In this example we have a PDF attachment prompting user to get a online document.

        Sender: usa-security@whosay.com
        Subject: Suspicious Activity Detected
        Malicious Domain: aryasanatco.ir
        Malicious URI: /cache/mon.html

        Attachment: UPDATE SERVICE.pdf
        md5:6abd1f5ecb2c7925ec781d06278f39cc

 

usaa-phish

Hovering over the link in the email exposes the credential harvesting site aryasanatco[.]ir/cache/mon.html.

Recomendations

  • Always hover over links to see the actual URL
  • Avoid the temptation of clicking links on phones. Hackers take advantage of those small screens.

Reference

UPDATE-SERVICE.pdf

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published.