#1243182: Be Aware of fake American Express emails having attached Phishing malware

Description: A new phishing campaign is going on where emails pretending to be from the American Express, states that your credit card has a security issue. The email then prompts the recipient to open a HTML attachment, which is actually a phishing form and will send inputted information to the scammers.



BleepingComputer first came to know regarding this phishing scam (i.e. fake American Express emails having attached phishing form) from myonlinesecurity.co.uk. However, BleepingComputer have seen many variants being sent after October 2018 when researched further. All these variants use the same theme that suggest there is a security review of the recipient's credit card, which found issues thus requiring the recipient to send his/her information asked in the attached form and also create a new account online.



All these emails were sent from mail domains which are based on "American Express" keyword like AmericanExpress@ampress.com, AmericanExpress@aemail.com, and AmExpress@amnex.com. The subjects of these emails are like "REMINDER: A concern that requires your action", "Notice Concerning your CardMember Account", and "Reminder - We've issued a security concern (Action Required)".



The phishing email has an HTML attachment having a name like 0,,1_09030-AENA2018_1228,01.htm. Then, a script got opened from a remote site by these html attachments. The remote JavaScript is obfuscated, however when deobfuscated then it just writes HTML to document so as to render the form.



This form then asks the recipient to enter their security pin, their online account credentials, their card number, expiration date, security code, mother's birth date, mother's maiden name, first elementary school name, birth year, and then finally prompts the recipient to create new login credentials. Now, once the user submits that form, the entered information goes to a remote host (i.e. the scammers).



Once remote host receives all these data, it then redirects the recipient to a genuine americanexpress.com page which states "Thank you for your feedback" to adds legitimacy to the form submission.



It is necessary to keep in mind that companies, especially the financial organizations, never request this kind of information by using an attached form. Moreover, when you receive any email containing links to sites asking for personal information, then it is strongly recommended that you must contact the organization directly by phone so as to confirm the received email.

First Aid: IOCs: All these emails were sent from mail domains which are based on "American Express" keyword like AmericanExpress@ampress.com, AmericanExpress@aemail.com, and AmExpress@amnex.com. The subjects of these emails are like "REMINDER: A concern that requires your action", "Notice Concerning your CardMember Account", and "Reminder - We've issued a security concern (Action Required)". HTML attachment name like 0,,1_09030-AENA2018_1228,01.htm
More info: http://www.spamfighter.com/News-21975-Be-careful-from-fake-American-Express-emails-having-attached-Phishing-Form.htm?utm_source=hs_email&utm_medium=email&utm_content=68920458&_hsenc=p2ANqtz---caniP9fVeMxcUv4oKSNmzfOvckI5GyHNkKbHBAzyMdIZdbujvuuhvQ9x4crJGloRPiwhIMwG9U_vJWEKhN004cUiOgiDDJbzteVRusBvjr1hl3k&_hsmi=68920458

Date added Jan. 11, 2019, 3:21 p.m.
Source Spamfighter
Subjects
  • All New Malware Alerts - New Reports / IOCs in
  • American Express/AmEx
  • Phishing Alerts - Banking
  • Scam/Fraud/Hoax Alerts
  • Spear Phishing / Angler Phishing / Whaling / CEO Fraud / W2 Fraud