Fake American Express Alerts

Right now we are seeing fake American Express account alerts. The alerts look very real, and will trick the user into clicking on a link that may lead to malware. As many of these attacks, the exact destination will heavily depend on the browser used.

Antivirus does recognize the intermediate scripts as malicious and should warn the user if configured to inspect web content.

fake american express notification

(click on image for full size)

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS San Francisco Winter 2022


4601 Posts
ISC Handler
Aug 2nd 2013

links go to cracked sites. simple html file calls 3 javascript files hosted at more cracked sites.

those js scripts just redirect to a 3rd site, that does user agent detection at least and can send you an obfuscated js html response, try to run a java applet and maybe redirect to yet another site.

the "moneygram payment notification" malware series followed up the same thing with a fake Adobe flash player download for a zbot trojan.

9 Posts
Thanks! That sounds just like the AMEX scam (and so many before that :( ). FWIW: If you get a 501/502 error ("Gateway Timeout"), it means that your user agent was detected as fake (e.g. wget).

4601 Posts
ISC Handler
We are seeing this in our environment now. We sent the URLs to Websense to block as malicious and set a copy to AMEX (but I am sure they are aware)
1 Posts
The One

1 Posts
We too received this in our environment. A total of 81 successfully delivered to users, over 1000 blocked by our anti-spam solution once our operations team updated our signatures.

The links we saw within the email all pointed to a number of Italy domains (.it). Searching on Pastebin (http://pastebin.com/TJc6wwjN), I found a post listing the sites as being compromised back in June.

3 Posts

Sign Up for Free or Log In to start participating in the conversation!