American Express Phishing Campaign making rounds

January 4, 2019

SonicWall Capture Labs Threat Research team has observed a new variant of the American Express phishing campaign.  It starts with a phishing email pretending to come from American Express Fraud protection services. It then requests user to download the attached PDF document to verify the account information.  Phishing link in the PDF document takes user to the attacker web page that looks exactly like American express. In the last week’s phishing campaign, html form was used instead of a phishing web page.

Even though the email address in these phishing campaign is not from American express, it  just says American Express. The original email id is from the domain “Americ@centralcomwireless.com”. Email’s subject says “Urgent: Request for information” with the attached PDF payload “Secure Document.pdf”

Snapshot of the attached PDF is shown below, it requests the user to click on the phishing URL to verify the account activity.

“Click here” goes to “hxxp://tresriosimoveis.com.br/quemsomos/index.html” initially and later get redirected to the phishing web page.  Looks like “tresriosimoveis.com.br” has been compromised by attackers and used for redirection.

Index.html has the content pasted below, that redirects to the specified url. Also URL seems to be updated by the attacker as we see them getting changed.

meta http-equiv=”Refresh” content=”0; url=https://plantsok.ga/infox/index.html”

The redirected https url is a fake site that impersonates American Express. None of the links in this page work except for ‘Log In’.

Upon entering the account credential, it takes us to the next page requesting for 4-digit card identification number and 3 digit card security code.

In the final page, it requests to update personal information such as Social Security Number, Security PIN, Mother’s maiden name, Mother’s Birthday, Place of Birth, First elementary school, Email address and Mobile Phone Number.

When done stealing the personal information, it responds back with the message “Thank you, your information has been verified.” to look legitimate.

Finally, it lands on the legitimate American express web page

 

SonicWall Capture Advanced Threat Protection (ATP) provides protection against the most phishing documents with its multi-engine approach.

Hashes:

PDF: 043459c13f1a4873db3396faf9f15ecc51bab083041c14d8a57f92859309c5f6
Email: 0b18455494f9b85aeaf0e08e6ec672ff490bc292f761a019c83f207b8d11bf26

Phishing URL’s:

Both the given phishing urls are active at the time of writing.

  • hxxps://entially.ga/infox/indxp.html?sign&accountx/Appli-catitup/Applion$updatenow=&cookiegtcheck/yes&destkcnpage&fefdd
  • hxxps://plantsok.ga/infox/indxp.html?sign&accountx/Appli-catitup/Applion$updatenow=&cookiegtcheck/yes&destkcnpage&fefdd

Recognizing Phishing Emails:

Phishing emails look like legitimate company emails and are designed to steal your information. They usually contain a link to a website that will ask for your login credentials, personal information or financial details. These websites are clever fakes designed to take your information and pass it back to the cybercrooks behind the scam.

In general, if you are not expecting an email from that company, you should be suspicious. Other tell-tale signs of phishing emails are as follows:

  • The email is not addressed to your full name. It will use generic terms like “Dear Customer.”
  • The email contains grammatical or spelling errors.
  • The email asks for personal information.
  • The email contains urgent or threatening language.

If you think you have received a phishing email, do not click on any links or open any attachments. To be sure, log directly into your relevant account to check for updates or messages or contact the company directly through their website.

Take our Phishing Quiz to see if you are able to identify phishing emails.