Just this morning I got a phishing email targeting USAA customers:
Dear USAA Customer,
We would like to inform you that we have released a new version of USAA Confirmation Form. This form is required to be completed by all USAA customers. Please use the button below in order to access the form:
Access USAA Confrmation Form
And yes, it had the typical phishing spelling errors. But what was interesting to me was the link from the “Access USAA…” text, which went to http://www.usaa.com.1l1ji.com/<more stuff>. Just for grins, I did an nslookup on 1ji.com, and got back:
Non-authoritative answer: Name: 1ji.com Address: 220.127.116.11 Name: 1ji.com Address: 18.104.22.168 Name: 1ji.com Address: 22.214.171.124 Name: 1ji.com Address: 126.96.36.199
All four of those IP addresses are for Google in Mountain View, at least according to IP2Location. But when I did a dig, I got:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12038 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;1j1.com. IN A ;; AUTHORITY SECTION: 1j1.com. 10800 IN SOA ns.dreger.de. admin.dreger.de. 2009021802 28800 7200 604800 86400
dreger.de is in Berlin, but there wasn’t much more information. Wish I understood better when there are differences betweeen nslookup and dig. I googled a bit on “10800 iIN SOA” but didn’t get any good hits.
Regardless, when I tried to visit the site to see what happened, Firefox conveniently blocked it:
Thanks….I just received this as well and wasn’t sure if it was phishing or not.
Does anyone know of the results of clicking on the link? I did accidentally – web page opened and immediately went to “page cannot be displayed.”
@Troy – I’d clicked through the Firefox warning alert (above), and you go to a site that looks like USAA, which has a form with a bunch of fields to fill in.
Did you inform USAA of this?
@Elizabeth – yes, but they knew about it already.