New Phishing scam targeting American Express card holders
January 29, 2014
Email malware and phishing scams are nothing new and most will appear for a while, then disappear, then reappear some time later. So it is with a new scam targeting American Express card holders on January 29, 2014.
Earlier today, my spam protection program, MailWasher Pro, auto-deleted a message that was a phishing scam against American Express card holders. Here are the pertinent details to watch out for, lest you fall for this scam.
Subject: American Express Security Notification
From (spoofed): "American Express" <[email protected]>
Return-path: <[email protected]>
Date: Wed, 29 Jan 2014 17:23:53 +0000
Some normally hidden email headers:
Received: from [94.197.44.27] (port=53006 helo=94.197.44.27.threembb.co.uk)
Received: from 94.197.44.27 (account [email protected] HELO otpfh.ifxkmqeu.com)
X-Mailer: The Bat! (v3.51.10) Home
The message body in plain text reads as follows.
American Express Security Notification
Dear Customer,
As you may already know we ask our customers to update the contact details associated with American Express card account.
A recent review of your account determined that you need to confirm the information associated with your American Express account.
As the Primary Contact, you must verify your account activity before you can
continue using your card, and upon verification, we will remove any restrictions placed on your account.
We encourage you to use the following link and confirm your account details as soon as possible:
https://www.americanexpress.com/[Links to h**p://dychovka.eu/dissents/index.html]
Note: Failure to update your account may result in account limitations or even account closure.
We appreciate your prompt attention to this important matter.
Thank you,
Amber Justice
Level III Security Officer
American Express
? 2014 American Express Company. All rights reserved.
AMEX Account Security
Note: (I deactivated the hostile link for your safety)
Here are some pertinent details about this scam.
First, the message did not come from AmericanExpress.com, or "aexp" at all. Everything in the headers to that affect are fake; spoofed data. This particular scam email came from a Mobile Broadband Service customer in Great Briton located at the IP address 94.197.44.27.threembb.co.uk.
In fact, I see the "return-path" set to "fraud@aexp" in almost every other malware and phishing scam email over the past year. Even scams claiming to come from a bank, or department store are composed using the same spam template. Most of them also have set "X-Mailer: The Bat!" which is a favorite email program in Europe, especially in Russia, where it was created.
Let's see how the scam in this email works. Note that I have deactivated the dangerous links for your protection, by changing http to h**p.
There is one clickable link presented, spoofing americanexpress.com, but actually going to an exploited server at: h**p://dychovka.eu/dissents/index.html - which is located in Czechoslovakia. The index.html page at that URL has just the text: "Connecting to server..." followed by nothing but three automatic JavaScript Includes, like this: h**p://Holidaymatrix.com/bushel/maricela.js. Anybody arriving at that location with a typical web browser that has JavaScript enabled by default will have those .js files loaded into their browser and executed automatically. Each of the .js files include a single JavaScript line of code that uses "document.location" to redirect the browser to yet another location. This location is where the Phishing scam is hosted.
All of this happens in the blink of your eye. If the payload was a malware exploit attack, it would be launched as soon as you arrived at the final destination. In this case, the payload is a webpage using code and images stolen from the American Express website. The Phish is in a form that tells you that you must fill in the required details and submit it or lose your credit card rights. All lies!
The Phishing page is titled: "American Express Credit Cards, Rewards, Travel and Business Services" in the Titlebar. Down the page is a form, prefaced with the text: "Please submit your login credentials to start the identification procedure." The submission is posted to a page named: "/americanexpress/work.php" where your stolen credentials are stored until the criminals behind this scam gather them up.
I have already notified the hosting company responsible for the actual Phishing scam. The owner of the website is an innocent real estate company in Charlotte North Carolina. They actually own 5 websites that are infected with this or other malicious scams.
No matter what domain this particular scam is hosted on, the folder containing the Phishing page will be inside a folder named: "/americanexpress/." The next time they run this phish, the folder name may change, or not. If you manage a web site or sites, now is a good time to check for folders which you did not create, containing files you know nothing about. Your web site could have been compromised, just like the one in this example was.
What you can do to protect your computer against this type of scam.
If you are using Firefox as your default browser, install the NoScript add-on and learn how to use it. It blocks JavaScript, Java, Flash and other forms of active scripting by default, unless you specifically allow a web site to use them. If you aren't using Firefox, try it and install the NoScript add-on ASAP.
If you must use another browser, make sure you have a robust security program installed on the computer. I use Trend Micro Internet Security which contains a component that automatically blocks access to infected web pages, like those I listed above.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.