Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: Fake American Express Alerts - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Fake American Express Alerts

Right now we are seeing fake American Express account alerts. The alerts look very real, and will trick the user into clicking on a link that may lead to malware. As many of these attacks, the exact destination will heavily depend on the browser used.

Antivirus does recognize the intermediate scripts as malicious and should warn the user if configured to inspect web content.

fake american express notification

(click on image for full size)

------
Johannes B. Ullrich, Ph.D.

SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Winter 2019

Johannes

3656 Posts
ISC Handler
http://techhelplist.com/index.php/spam-list/293-account-alert-recent-charge-approved-malware

links go to cracked sites. simple html file calls 3 javascript files hosted at more cracked sites.

those js scripts just redirect to a 3rd site, that does user agent detection at least and can send you an obfuscated js html response, try to run a java applet and maybe redirect to yet another site.

the "moneygram payment notification" malware series followed up the same thing with a fake Adobe flash player download for a zbot trojan.
http://techhelplist.com/index.php/spam-list/292-payment-notification-email-fake-moneygram-with-malware
techhelplist.com

9 Posts
Thanks! That sounds just like the AMEX scam (and so many before that :( ). FWIW: If you get a 501/502 error ("Gateway Timeout"), it means that your user agent was detected as fake (e.g. wget).
Johannes

3656 Posts
ISC Handler
We are seeing this in our environment now. We sent the URLs to Websense to block as malicious and set a copy to AMEX (but I am sure they are aware)
Johannes
1 Posts
Thanks!
The One

1 Posts
We too received this in our environment. A total of 81 successfully delivered to users, over 1000 blocked by our anti-spam solution once our operations team updated our signatures.

The links we saw within the email all pointed to a number of Italy domains (.it). Searching on Pastebin (http://pastebin.com/TJc6wwjN), I found a post listing the sites as being compromised back in June.
DTraser

3 Posts

Sign Up for Free or Log In to start participating in the conversation!