I’m super impressed with this Phishing email. Its the best I’ve seen and if it weren’t for just a couple of easy-to-fix mistakes it would have scored a perfect 10.00!
Here’s the back story: Target was hacked early last month. That was big news that most people are aware of. My wife and I were even sent new credit cards as a result. But what you might not have heard of was the impressive level of phishing emails that are being sent out now targeting (heh, get it?) these customers. So read along and I’ll dissect this particularly good one using our Olympic, Sochi-style scoring. First, a screen shot of the original email:
Yeah, its a phishing email. So what, you say, right? Digging deeper though its a darn good phish:
This email was forwarded to me from a friend. The friend had just received a new Visa card as a result of the Target hack. Again, so what? Well this friend’s credit card was issued by USAA. So either this phisher A) just got lucky and sent a USAA card member a USAA phishing email or B) based on data that they obtained from the Target hack they knew that this person had a USAA card and crafted a nearly flawless phishing email to everyone with USAA cards.
I think it was B.
Here’s the official Olympic Phishing email score algorithm.
+10.00 For a friggin perfectly targeted attack. Sending a USAA email to a USAA card member right after the Target hack?! Bravo, well done!
-0.00 For zero misspellings and perfect grammar! Phishers always screw up da Engrish. Not this one!
-0.00 For lots of legitimate links within the email. Crafty! Of the eight links within the email seven go to the real USAA web site.
-0.00 For the From: email address being a real USAA address. Man, these guys are good. Usually bad guys use something like “firstname.lastname@example.org” as the From: address and give away their evil identity.
So far its nearly perfect. But alas, with a bit more care they missed the perfect 10.00. This is sort of like getting pissy about ice dancers not having their toe points in perfect alignment. Its a bit nit-pickey I know, but none-the-less its not perfect! (yes, I did watch ice-dancing last night):
-0.25 Small deduction for a horrible phishing domain. I mean, come on now, you’re going after credit cards, spend the time to set up something like http://usaa-accountaccess.igebwayazawa.com. Its the little things!
-0.75 Deduction for poor use of To: email address. This is another easy-one that was sadly missed. You are sending the email correctly so why wouldn’t you populate the To: line with the victim’s real email address? This one was probably what tipped my friend off. The Chinese government attackers (or the NSA for that matter) wouldn’t have dropped the ball on this easy one.
OFFICIAL PHISHY SCORE: 9.00!!
While there were some small issues this phish is certainly good enough for a podium finish as I suspect many a USAA card hold fell for this one.
Feel free to let us know if you’ve received better, with headers intact if possible, as I’d love to see them.