Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

USAA Web Services?


  • Please log in to reply
5 replies to this topic

#1 saluqi

saluqi

  • Members
  • 582 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:southern San Joaquin Valley, Calfornia
  • Local time:06:31 PM

Posted 20 August 2016 - 11:05 AM

Yesterday I received an E-mail from "USAA Web Services" informing me that someone at an "unknown location" had tried to log into my account (which of course does not exist) and inviting me to click on a link to regain access.  The link was a double-dot HTML file and of course I did not click on it.

 

Am I safe in assuming this is one of the usual malware scams?  USAA purports to be a Texas-based automobile club, but of course I have no way of knowing whether they had anything to do with the subject E-mail message.

 

The subject message is still in my "Deleted" folder, in case anyone wants the details or they should be reported somewhere.  I normally just delete such things, which are a dime a dozen.  Unfortunately I know a number of computer users naive enough to click on such things (and to respond to cold calls from Microsoft, etc.) who sometimes then ask me to fix the resulting damage.  I usually refer them to BC.

 

Should I be reporting these things somewhere?

 

Thanks,

 

EDIT - a brief visit to the legitimate USAA user group site revealed that many versions of this scam have been circulating recently, some at least in the wake of the great Home Depot data breach.  I hardly need to call their attention to it!  The number of different variations is impressive, somebody must be pretty industrious <G>.


Edited by saluqi, 20 August 2016 - 11:14 AM.


BC AdBot (Login to Remove)

 


#2 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Staff Emeritus
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:08:31 PM

Posted 20 August 2016 - 12:44 PM

Either a phishing attempt or malware attempt.

 

There are things you can do to determine if a mail is legit or not.

 

Look at the sender address. If it contains @ with .2 letters it was sent from a domain outside the United States. An example of this is @uc.cl cl is for Chile.

 

A legitimate US company, which USAA is, will not be sending  mail through a foreign domain.

Each country has a domain code. A good search engine will help you identify the country.

 

You can also hover over the From  line in the Inbox to see where the email message was sent from. USAA would likely have an official address such as @usaa.com It it does not look right to you, then consider it a scam. If it says Hotmail, gmail, or other such domain it is fake.

 

USAA (United Services Automobile Association) is not an automobile club. It is a financial institution which serves members of the military. It offers banking and insurance to them. (One of my family members had an account with them at one time and also got auto insurance with USAA). Headquarters is in San Antonio, Texas which is where  Lackland   AFB is located.

 

For more information, see this on the USAA website https://www.usaa.com/inet/wc/security_how_avoid_identify_scams

 

 

 


Edited by Queen-Evie, 20 August 2016 - 12:48 PM.


#3 saluqi

saluqi
  • Topic Starter

  • Members
  • 582 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:southern San Joaquin Valley, Calfornia
  • Local time:06:31 PM

Posted 20 August 2016 - 08:26 PM

Thanks.  Having lived more or less all over the world and having many overseas correspondents I am already slightly familiar with some of the country codes.  I did after the fact realize that USAA was a financial institution.  As i noted in my edit, I did go to the USAA Web site and there noticed "how to avoid identity scams" as well as queries about several variants of the one I received.  Maybe if I'd looked more carefully I'd have understood better what I was dealing with.

 

I am however now somewhat confused.  The message I received was apparently sent from USAA.Web.Services@customermail.usaa.com and addressed to two other individuals besides myself.  Unfortunately I haven't been able to figure out how to examine the actual message header (I am using Outlook 2016).  The message basically says they have blocked online access to my account because of someone else trying to access it from an unrecognized location.  The main trouble with that is that I have never had any account with USAA.  It's possible that my son (same name as myself, he is the 4th, I'm the 3rd) might have an account there - he spent some years in the USMC.  I myself have no military connections.  My father (also same name, the 2nd but not Jr.) was in the Army in both World Wars (long story there) but he died more than 30 years ago.

 

The message basically asked me to download and open a file to update my login information.  The file is called logon.htm.html

 

I have received two previous E-mails purporting to come from USAA.  Both of those were obvious scams - one from "uscyu@multi.net" asking for "personal information updates" and the other from "xxweb@fin.com".asking for a payment.

 

As owner or moderator of several online mailing lists I am fairly accustomed to reading message headers and detecting anomalies therein.  It would certainly be useful for me to be able to do that now - and I suppose I'll be able to Google the answer to how to read headers in Outlook 2016 <G>.  It was never a problem in any of the several previous mailers I've used over the years.  Not so much laziness, as sheer shortage of time, that I haven't already figured it out in Outlook,.

 

EDIT immediately afterward:

 

I went back to the message in my Deleted folder, double clicked on it and selected "Outlook Properties".  That gave me a box showing "Display name: USAA <USAA.Web.Services@customermail.usaa.com>" and "Email address: <kswedeen@centurytel.com>".  I was also able to view the source code - but still not the headers.

 

Does this in fact mean the message originated with "kswedeen" rather than with USAA?


Edited by saluqi, 20 August 2016 - 08:41 PM.


#4 Smsec

Smsec

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:31 PM

Posted 20 August 2016 - 09:59 PM

The email addresses are likely all false. The header can tell you the IP address of the sending computer but often those computers have been infected with malware and used to send out emails with malware attachments or spam links.

 

There's no legitimate reason for any business to send an html attachment so that's a sure sign it's a phish. You can report phishing to the Anti phishing working group. http://apwg.org/report-phishing/



#5 saluqi

saluqi
  • Topic Starter

  • Members
  • 582 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:southern San Joaquin Valley, Calfornia
  • Local time:06:31 PM

Posted 20 August 2016 - 10:18 PM

OK, thanks.
 
The headers are as follows: 
 
X-MUNQ: 25796116c1406fa7d02eade598a73fbb
X-MSK: HYD=0.819297005
Status:  U
Return-Path: <xxxxxx@centurytel.net>
Received: from mx-canard.atl.sa.earthlink.net ([207.69.195.164])
by mdl-compact.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1BB6sg6NJ3Nl37e0; Sat, 20 Aug 2016 09:36:56 -0400 (EDT)
Received: from smtp.centurylink.net ([205.219.233.9])
by mx-canard.atl.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id 1BB6sfR23Nl36s0
for <xxxxx@ix.netcom.com>; Sat, 20 Aug 2016 09:36:55 -0400 (EDT)
X_CMAE_Category: , ,
X-CNFS-Analysis: v=2.2 cv=bpgOPwSi c=1 sm=1 tr=0 a=blE+tcismm2j2L9Azu4bUw==:117 a=blE+tcismm2j2L9Azu4bUw==:17 a=9cA053aazHEA:10 a=PqCfyzlyTWAA:10 a=9DvhAHx2yrWFMPxQWpQA:9 a=uDLs4MyHAAAA:8 a=qv3ogJ9zfdaxh_2l-ZIA:9 a=QUp0DWYmWWTqrOW5:21 a=S3kQH9ecObBUTHYc:21 a=qbTcpOf5xp1WOCNh:21 a=_W_S_7VecoQA:10 a=KJq8R4nz-IFbowNEO7Dg:22
X-CM-Score: 0
X-Scanned-by: Cloudmark Authority Engine
X-Authed-Username: a3N3ZWRlZW5AY2VudHVyeXRlbC5uZXQ=
Authentication-Results:  smtp01.agate.dfw.synacor.com smtp.user=xxxxxx@centurytel.net; auth=pass (LOGIN)
Received: from [104.238.136.86] ([104.238.136.86:61963] helo=flnew)
by smtp.centurylink.net (envelope-from <xxxxxx@centurytel.net>)
(ecelerity 3.5.1.37854 r(Momo-dev:3.5.1.0)) with ESMTPA
id 4B/86-16386-4FC58B75; Sat, 20 Aug 2016 09:36:54 -0400
From: "USAA <USAA.Web.Services@customermail.usaa.com>"
 <xxxxxx@centurytel.net>
Message-ID: <4B.86.16386.4FC58B75@smtp01.agate.dfw.synacor.com>
Subject: Important Security Notice About Your USAA Account
To: xxxxx@yahoo.com
Content-Type: multipart/mixed;
 boundary="=_NextPart_2rfkindysadvnqw3nerasdf";iso-8859-1
MIME-Version: 1.0
Reply-To: xxxxxx@centurytel.net
Date: Sat, 20 Aug 2016 13:36:53 +0000
X-Priority: 3
X-Library: Indy 8.0.25
X-ELNK-Received-Info: spv=0;
X-Authentication-Results: dkim="fail"; (2:no or failed dkim processing); dmarc="none"; (1); dwl="miss"; den="not exempt"
X-ELNK-AV: 0
X-ELNK-Info: sbv=0; sbrc=.0; sbf=bb; sbw=000;
 
Looks as if I will have to learn to read headers all over again.  It's been a while . . .

Edited by Queen-Evie, 20 August 2016 - 11:10 PM.
edited email address


#6 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Staff Emeritus
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:08:31 PM

Posted 20 August 2016 - 10:59 PM

From: "USAA <USAA.Web.Services@customermail.usaa.com>"
Return-Path: <xxxxxx@centurytel.net>
 
Reply-To:xxxxxx@centurytel.net

This should be a clue. An official reply to: for USAA would not be a centurytel.net address.

It is possible that there is someone with the reply to address and that it has been spoofed by the scammers. That person would not about it unless someone actually did reply to that address. Also possible that the scammer set up that address, sent out the mail and deleted the email account.

Smsec is correct that "There's no legitimate reason for any business to send an html attachment so that's a sure sign it's a phish".
A legitimate company would never send such an attachment OR tell you to click a link and enter whatever details they ask for.

At this point, you can report it USAA and http://apwg.org/report-phishing/ and move on.

Senders of mails like the one you received know that they will be sending it people who have never done business with/have an account with the company name they are using. What they hope is that it will reach those who DO have a relationship with that company and there will among them those who are clueless about this type thing who will take the bait and fall for it.

Edited by Queen-Evie, 20 August 2016 - 11:12 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users