American Express Customers Targeted in Phishing Campaign

Cofense researchers recently discovered a phishing campaign targeting both corporate and consumer American Express cardholders. The phishing email threatens suspension of the user’s account if they do not verify their personal information via a malicious URL contained in the email. The phishing attempt, which contains the usual tell-tale grammatical errors and sense of urgency, uses the unique tactic of splitting the malicious URL into two pieces: an HTML tag and an embedded “base href.” This allows the threat actor to evade security software detection. If clicked, the link brings the user to a website mimicking the American Express login portal and requests the user to log in to their account. If the user enters their username and password, the credentials are sent to the threat actor. The NJCCIC advises American Express customers to avoid clicking on links and opening attachments within unsolicited or unexpected emails, and to be suspicious of emails conveying a sense of urgency. Users are advised to, instead, navigate to websites by manually typing the URL into the address bar of their browser. Educating users about this and similar threats can reduce victimization. Additional details may be found in the Cofense post.