An unusually well-crafted phishing attack is targeting American Express cardholders.
In recent days, an unusually well-crafted phishing attack has been launched against American Express cardholders. The scam appears to be an improved version of a prior phishing campaign first seen this past March, and impersonates American Express so well, and with such devious messaging, that it may successfully bait many people who might normally detect and avoid other phishing attacks.In the new scam, targeted users receive an email message allegedly from American Express (in at least one variant the return address appears to targets as AmericanExpress@welcome.aexp.com) advising the recipient to protect himself or herself from fraud and phishing by establishing an “American Express Personal Safe Key (PSK)” to improve the security of their accounts. The email is well written and formatted like an American Express email; unlike some of the prior versions it contains no mislabeled links (i.e., links whose text description contains link code that does not match the actual link).
The email contains a link on the bottom to “Create a PSK” – and users who click the link are directed to a phony American Express login page on a site at the legitimate-sounding http://amexcloudcervice.com/login/ (it is hard to notice the spelling error – did you?). While the lack of HTTPS should also alert some people to the likelihood of something being amiss, and any browser that colors URL bars based on the use of encryption will obviously not do so in this case, as I discussed in a paper co-authored with Shira Rubinoff a decade ago, many people focus entirely on the contents of browser windows and do not pay attention to security clues in browser infrastructure.
After providing login information to the phony American Express page – and regardless of whether the login information is correct — users are presented with real looking pages for them to enter card numbers, card expiration dates, card four digit CVV code, their Social Security numbers, birth dates, mothers’ maiden names, mothers’ birthdate, date of birth, and their email addresses. All of the requests for information appear in an interface that mimics that of the legitimate American Express website, with only minor, hard-for the-novice-to-notice flaws. Of course, someone might realize that there is no reason for American Express to ask for some of this information – the firm obviously knows your card numbers once you login – but many people been de facto trained by credit card companies to answer such questions, having been asked to type or recite their numbers, and provide the answers to all sorts of security questions, when calling the providers by telephone.
There have, of course, been other phishing emails targeting American Express customers, and, as mentioned previously, even some that exploit the SafeKey security technology offered by American Express for extra trickery. (Did you notice that the phishing email incorrectly separate SafeKey into two words?)
Despite several errors that many information-security professionals may find glaring (did you notice the missing © symbol at the bottom?), the current attack does seem well crafted, and, therefore, more likely than many other attacks to trick American Express customers, most of whom are obviously do not dealing with phishing attacks as part of their jobs.
It should also be noted that shutting down phishers is difficult – unless the perpetrators themselves are caught, even if phishing systems are taken down, it is simple for the criminals to relaunch attacks using new servers. And it isn’t that hard for other criminals to copy the phishing interface, add a little code, and launch their own attacks from other servers as well.
So, how should you protect yourself?
Here are some suggestions:
- Never login to a sensitive site by clicking a link in any message, webpage, or document. Type the link.
- If you receive a communication from a bank or credit card company – call them back on the number on the back of your ATM/debit/credit card.
- Never read email – or use sensitive websites – on a device that does not have security software with updates being applied regularly and automatically.
- If you did click a link in a potentially dangerous email, shut the browser, disconnect your computer from the Internet, and run a malware scan. Ideally keep the machine off for several days, download updates, and run it again. This approach is by no means perfect, but it might reduce damage if your system became infected by malware.
- Of course, financial institutions should consider using technology such as Green Armor’s Identity Cues (For full disclosure – I co-invented that technology and am the founding CEO of the firm) that make it easy for people to know whether they are accessing a legitimate site or a phisher’s clone.
The bottom line: criminals are continuously getting better at crafting phishing emails – so be prepared.