American Express Phishing Campaign Currently Circulating

By   ISBuzz Team
Writer , Information Security Buzz | Oct 22, 2015 07:00 pm PST

Reports earlier this week from the National Crime Agency has placed a spotlight on the seriousness of cyber attacks, with criminals working around the clock devising increasingly complex ways to steal banking credentials.

Appriver has uncovered a phishing scam, purporting to be from American Express, currently circulating trying to do just this. While phishing campaigns of this nature circulate all the time, what makes this one different is the effort put in to making the site convincing. At the time of writing, this campaign continues to circulate.

“Phishing sites come in a wide range when it comes to how convincing they are. There are certain nuances of a site like images not loading and boxes not lining up that raise red flags that something may not be right. But sometimes there’s a lot of effort an attacker will put in to make a convincing phishing campaign – and this is one.

“As with all phishing campaigns we see, it starts out with an email. The email coming in is informing the user there is a security concern on the account and that future charges to their card may be declined unless they access their account. The message looks pretty convincing compared to most spam and phishing emails. It even contains a notice at the bottom about reporting suspicious emails to

“The key to a convincing looking phishing website is to try and make it look and feel as much like the mimicked site. In this case, the attackers did a pretty convincing job. Things like menu items fading, hovering the mouse over things, and the layout were all very similar to American Express’ actual website. If you are unfortunate enough to try and login to the phishing site, they immediately get the username and password you entered. The username and password are sent plain text in the actual uri GET request and set as cookies in the http header. So as soon as you click login, there’s no going back.

“Now, an attacker could just stop there and redirect the user to the actual website. This is a common tactic with email credential phishing sites. You get an email in that says you need to login to a website to see the attachment, then when you login they just redirect you elsewhere since they already have the credentials. But in the case of this attacker, they are going all out and asking for pretty much everything : date of birth, PIN number, credit card info, etc.

“This is a good example of why a site can’t be trusted just because it looks nice. Yes there are cases where phishing sites are glaringly obvious, but there are these cases where a lot of effort is put in to trick users. In this case it should become pretty obvious it’s a scam when it starts asking for all the other information. But with an attack like this at such a high count, there are unfortunately bound to be people that fall victim.

“Being cautious of any sites asking for information is certainly a step, but also having systems in place to block known phishing sites can prevent the end user from even having to see the page to begin with.”[su_box title=”About AppRiver” style=”noise” box_color=”#0e0d0d”]AppRiverAppRiver’s corporate headquarters is located in Gulf Breeze, Florida, USA, and our Europe, Middle East and Africa (EMEA) headquarters is in Lupfig, Canton Aargau, Switzerland. The Company also has a regional sales office in Northport, New York, USA and we maintain multiple, secure world-class data centers throughout the United States, Europe, and Asia. Our growing 170-member team protects more than 45,000 corporate customers and eight million mailboxes around the world.[/su_box]

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x