[SCAM ALERT 055] – America First Credit Union

7

America First Credit Union is a federally chartered credit union headquartered in Riverdale, Utah, United States. As of January 2020, America First was the sixth largest credit union in the United States in terms of total membership and ninth largest credit union in assets in the U.S.

During our PreCrime internet scout of October 17th 2022 we identified suspicious markers across multiple vectors. One of those was this website spoof that could be targeting unsuspecting bank clients.

The Attack

Target:

Customers of America First Credit Union

Possible threats:

  • Phishing campaign – luring customers to the site by sending them a message impersonating America First with a link to the malicious domain.
  • Credential harvesting and financial gain – After luring users to the site, they are asked to login to their America First account using their User ID and password, allowing threat actors to take control of your bank account and steal all your money.

Technical Breakdown

Threat Indicators

  • Malicious domain impersonating login page of America First Credit Union
  • DNS records of malicious domain completely different to America First Credit Union
  • Newly registered site – October 16 2022
  • SSL certificate expires after three months
  • MX record indicates domain may be part of a phishing campaign
  • IP connects to IP address with a lot of malicious activity

Detection and Threat Analysis

The malicious domain americacredit[.]lol has been targeting America First Credit Union (americafirst[.]com), among the largest credit unions in the United States. The malicious domain was created October 16, 2022 and detected by bfore.ai October 17, 2022.

  • The malicious site shows visitors a login page to America Fist Credit Union. The main difference between the legitimate and the malicious site, is that the malicious site’s login page shows a User ID and Password field, whereas the legitimate one only shows a Account Number (User ID) field. Additionally, the malicious site shows the phone number, 1-855-801-2328, whereas the legitimate site simply provides a Contact Us link.
  • The DNS records are completely different to the DNS records of the legitimate website. The main point of interest is that the legitimate domain is registered in the United States, whereas the malicious one is registered in Iceland under an Internet Service Provider located in India. See further details and comparison between the malicious and legitimate domain below.
  • The domain has registered MX records, giving the threat actors the ability to accept and send email messages on behalf of the domain names. It indicates that the threat actors may be setting up the domain to be part of a phishing campaign that leads to the malicious domains.
  • The registered SSL certificate expires after three months indicating malicious intent.
  • The IP address has been blacklisted by SPFBL and UCEPROTECT. While this IP address does not contain any communicating files, when loading the malicious domain, it connects to multiple IP addresses, including 69.16.175.42 (code.jquery.com) which has over 320,000 communicating files (files that present traffic to the IP address), many of them malicious.

DNS Records

Subdomains

How Bfore.Ai is protecting our customers

At Bfore.Ai, we work daily to ensure these phishing attacks get stopped before even reaching their targets. We are here to make your internet journey safer than it has ever been.

With more than 30K new malicious indicators per day we got you covered no matter where the attack comes from. Only 0.05% false positive rate, stop wasting time in false alerts chasing. By launching our PreCrime and PreEmpt technologies, we measure our anticipation from an attack starting, faster than attackers.

Accepting that the only defense is good detection, is accepting to be forever a victim. We believe in prevention more than response. Visit our website for more information !

Bfore.Ai’s recommendations

Every day, adversarial tactics become more collaborative, technologically advanced, and rapid – and at this rate, you simply can’t afford to wait for the next attack before you react. Here are some recommendations from our team :

  • Pay close attention to the URL
  • Check connection security indicators (the lock)
  • Read emails carefully
  • Look for trust seals

Appendix

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Bfore.Ai) is ultimately responsible for assessing and meeting Client’s own compliance responsibilities. This report does not constitute a guarantee or assurance of Client’s compliance with any law, regulation or standard.