Skip to main content

USAA Phish

MIJN Security Partner.
Placotiweg 2K
4131 NL Vianen (Netherlands)

You are the proud hoster of alpacasvomhahnerfeld.de, which resolves to 185.41.127.3. This domain is the landing domain for a phishing email targeting USAA members.

 "Dear Customer,

Your account has been locked due to an update in our security features, we were unable to update your account. For your protection, online access to your account will remain locked until we properly verify your identity.

To re-instate your access, view your account below to start the update process."

Good try. You even go as far as embedding USAA content (usaa.com) into the email. There is even a twitter.com link, of all things. Very good try.

 Farther down in the email you try to distance yourself from pretending to be the USAA:

"USAA means United Services Automobile Association and its insurance, banking, investment and other companies . Banks Member FDIC."

The email "from" is "foi at gkclasses.com" which is entirely irrelevant.Except that the email originated out of 104.239.173.146, which is a Rackspace IP (hoster of gkclasses.com).

This was the weakest phish I've seen in a long time. If this was you, Bearded Michiganite and neighbor of the beast, then I am disappointed. That AMEX phish you did was a Rembrandt compared to this rubbish.

Received: from [104.239.173.146] ([127.0.0.1]) by gkclasses.com with Microsoft SMTPSVC(7.5.7601.17514);
Wed, 1 Mar 2017 14:03:18 +0000
boundary="===============1676980232=="

There was even a facebook link: USAA?EID=3D87909-0411_body haha. 

What does Status=CONNECT mean at ICANN though? That's pretty clever. 

Popular posts from this blog

THE RISE OF FASCIST SOCIAL MEDIA

The Merriam-Webster dictionary defines fascism as: a tendency toward or actual exercise of strong autocratic or dictatorial control .  The phrase "dictatorial control" is important for the case that I am going to make about fascism in social media. The word "dictatorial" means "of or relating to a dictator," and a dictator is "one ruling in an absolute and often oppressive way." In 2020, social media has seen a rise in the number of autocratic events of censorship. The two social media outlets that I am going to focus on are Facebook and Twitter.  Background Facebook is a semi-private curated blogging platform where you, the user, share information at your leisure. The public part of Facebook is in Facebook Groups. With a group, outside people who are not privy to your "Facebook Wall" will join your group and establish a communal discourse. This can be private, by invitation only, or public. The Facebook is auth-walled so that you must
Read more

DNS Custom Logs and selinux

If you google "named custom logs selinux" you will find quite a bit of chatter about setting up custom logs outside of /var/log for DNS (named). These posts are interesting, but they tend to be run on posts about learning selinux and becoming an expert on named. What you need to know? If you have setup custom logging locations in your /etc/named.conf file, such as:     channel default_file {         file "/var/log/named/default.log" versions 3 size 5m;         severity dynamic;         print-time yes;     }; Then you will likely see errors like this in /var/log/messages: Oct 26 11:41:13 namedsvr setroubleshoot: SELinux is preventing /usr/sbin/named from write access on the directory /var/named/chroot/var/log/named. For complete SELinux messages. run sealert -l 6eab4aaf-e615-4ade-9e88-4efdc789eaf2 Then you run the sealert command as suggested by the very friendly selinux audit log and you are told: #============= named_t ============== #!
Read more

Outlook Configuration

To read all email in text and be able to extract the mail using mail headers: > regedit HCU/Software/Microsoft/Office/16.0/Outlook/Options/Mail   MinimalHeaderOn = 0 (dword)   ReadAsPlain = 1 (dword)   SaveAllMIMENotJustHeaders = 1 (dword) restart Outlook afterwards, maybe even reboot just for good measure. Now you get to see all of those phishy urls in the emails and you can get all of those embedded image attachments as raw encoded binary when you get the header details on the message. Put the Message Options button in the hot button task bar so you can quickly get this info. No more phishy phish from the numbskulls. I take payment in coffee. It's been a long time since I've had Jamaica Blue Mountain. Just saying. If you know how to disable the jpeg thumbnail render of attachments, please share on twitter. That's an obvious vector.
Read more