Intro:
This post documents my research into searching for websites masquerading as a USAA website. This is written for my fellow analysts and research enthusiasts. It shows my thought processes during this research. For the target audience, I hope this content may add value to a future endeavor of yours.
I show all the links I use, so we can work this together. We start off with a base search. We identify patterns. We check if we can find anything to pivot off of to find more similar activities.
Getting Started:
Here’s the base search base search:
https://urlscan.io/search/#domain%3Ausaa-*
Then, we want to find one that actually looks like a masquerade; we go through many and find suspicious domains like the following:
https://whois.domaintools.com/usaa-services.com
https://whois.domaintools.com/usaaonlinesecurity.com
https://whois.domaintools.com/usaa-secure-portal.com
And we compare them to the original:
https://whois.domaintools.com/usaa.com
We look for registrant differences to determine if it’s similar. The registrant info is different, but the sites don’t appear to be serving anything right now, so they’re not good examples right now.
After skimming that, we go to the following suspicious masquerade result:
https://urlscan.io/result/5455f89e-2923-40cb-9d6e-2e0794cf6bc8/#summary
Reviewing the HTML at https://urlscan.io/responses/3455c2661176ace3cbf64df63d2d6f826f4685bd8bc9209ead56730c10f81259/, we can see that it appears to be a simple submission that posts your credentials to /vts/index.php, as seen below.
It would be interesting to see if there are any steps they take to handle MFA.
This domain is no longer up, so we cannot analyze that.
We can pivot to find similar entries. I normally like to find an image, and search for other scans that use the same image path or hash. However, it looks like they’re using inline SVGs as explained here: https://developer.mozilla.org/en-US/docs/Web/SVG/Tutorial/SVG_In_HTML_Introduction.
It looks like we might be able to pivot off the CSS and the font.
A pivot off the CSS returns this here:
https://urlscan.io/search/#hash%3Ad0f5dd07fe7b53b736ed531de7e63b79a318d7dabdab1950fff9e89dfc560f8b
This one here looks like an earlier iteration:
https://urlscan.io/result/beac3840-26f3-4ecc-97bc-c77f60a1f7e0
It also posts to the same resource as seen below:
Unfortunately, it is also down.
Same thing here: https://urlscan.io/result/c9cda479-2b81-430e-a5ab-e66e6709a832/
Except that the form submission path is slightly different:
This has been cool, but we’ve ran out of pivots. I circled back and checked the font here: https://urlscan.io/search/#hash%3A8ca92c098205eebe75921badb282e0219fba6b69f74f71a06afc6e4521462ecf
This one is pretty cool because it shows the legitimate USAA website uses it. The results also show obvious masquerades are also using it.
This should be fruitful!
I checked the first obvious masquerade here https://urlscan.io/result/073a6685-b9b6-4886-98c5-d09deb35cddc/ and observed the result below.
This result is interesting because I’ve seen a lot of tags with @ecarlesi, but I’ve never researched who that is. It’s important to remember that somebody had to have previously observed something malicious or suspicious for it to be in urlscan. It looks like Emiliano Carlesi used to be on Twitter, but got suspended in May of 2023, and he moved his works to urlscan (as written here: https://carlesi.vg/2023/05/22/no-more-twitter/). He’s got this one tagged as “usaa_help” so it would be interesting to see what else he’s tagged as that.
He’s got 40 scans tagged that as seen here: https://urlscan.io/search/#task.tags:%22usaa_help%22.
I returned to the WOFF pivot here: https://urlscan.io/search/#hash%3A8ca92c098205eebe75921badb282e0219fba6b69f74f71a06afc6e4521462ecf, and checked the next result here: https://urlscan.io/result/81e0ae00-8723-4a0b-92fc-624cfb630443/.
It looks like it might not be related to the other previous results (based on the different submission path):
One thing I thought was interesting was the 99 similar pages as seen below.
Wowzers! Pivoting on the WOFF file and this is the jackpot.
Where to go from here?
At some point in the near future I will be looking into finding the most efficient way to report these results, and get them added to phishing lists.
How can an analyst take action on this knowledge?
You could take action on this by repeating the steps to find other results. You could add the domains to a blacklist or block list. You could also monitor for suspicious posts to the observed URI paths such as the pseudo query below:
sourcetype=web method=post uri_path=(“*vts/index.php” OR “*verification/index.php” OR “*assets/grabber/userlogin.php”)
Monitor for requests to URI paths that end with the observed path endings such as the pseudo query below:
sourcetype=web method=get uri_path=(“*/usaa/” OR “*/myusaa/” OR “*/usaaonline/” )
You could possibly monitor for new urlscan scan results with the query below:
One possible monitoring query is: https://urlscan.io/search/#page.url%3A(*%5C%2Fusaa%5C%2F%20OR%20*%5C%2Fmyusaa%5C%2F%20OR%20*%5C%2Fusaaonline%5C%2F)
Summary:
In this post we discussed ways that a researcher could find masquerading sites using a base search. We discussed methods to pivot to find other masquerading sites. Finally, we discussed how an analyst can check their environment for similar activity. Best of luck to you in your future searches.
Congratulations for the analysis and the article. Thanks for the quote, it’s always nice 🙂
Thank you! I appreciate it!
[…] Federal Credit Union Masquerades Found! USAA Masquerades Found! Possible Early Stage Caesar Cipher Skimmer The LandUpdate808 Fake Update Variant What is a […]