Thursday, March 20, 2014

American Express's new Phishing Criminal Brings Game!

Every time I start to think that I've seen everything with regards to phishing the criminals shake things up and get me excited again. Today I have to say the American Express phishers are bringing their A Game to the table again. While there are several different groups of phishers attacking most financial institutions, the criminals behind this particular attack are at least showing some creativity. Let's take a look at the spam message first.

We had two primary spam subject lines for this campaign. On March 17, 2014 the Malcovery Spam Data Mine gathered:

468 copies = Subject: Important: Personal Security Key
290 copies = Irregular card activity

The messages were BEAUTIFUL! Here's one:

Isn't that gorgeous? Every single link in that email is actually just another copy of the phishing URL. No matter what you click on, the phishing process starts. And what a process it is! Just in the samples that we had at Malcovery Security, we saw 574 distinct URLs on 77 different web hosts! (the full list is available as amex.urls.txt.

The AmEx Phishing Payload

Why am I writing about this three days later? BECAUSE THE PHISH IS STILL LIVE!

Just a few minutes ago, I revisited one URL per webhost and found that 40 of the 77 servers were still delivering payload.

What was the payload?

Here's a sample from one of those 40 sites:

A small box containing the words "Connecting to server..." appears, but in the background, the machine is trying to pull content from these scripts (defanged below):

(script) src equals
(script) src equals
(script) src equals
(script) src equals

But actually between the 40 sites I was able to access this morning (March 20, 2014) there were a total of 38 redirectors!

hxxp:  (slash)   (slash) (slash) instanced (slash) inconsolable.js
hxxp:  (slash)   (slash) (slash) ditty (slash) appetizing.js
hxxp:  (slash)   (slash) (slash) expiration (slash) eddies.js
hxxp:  (slash)   (slash) (slash) healed (slash) pulsation.js
hxxp:  (slash)   (slash) (slash) diminished (slash) somalian.js
hxxp:  (slash)   (slash) (slash) donning (slash) slaved.js
hxxp:  (slash)   (slash) (slash) nike (slash) robbing.js
hxxp:  (slash)   (slash) (slash) maracaibo (slash) your.js
hxxp:  (slash)   (slash) (slash) altaic (slash) scarify.js
hxxp:  (slash)   (slash) (slash) inflated (slash) minstrels.js
hxxp:  (slash)   (slash) (slash) pleader (slash) socialized.js
hxxp:  (slash)   (slash) (slash) emulate (slash) loved.js
hxxp:  (slash)   (slash) (slash) responsive (slash) rhone.js
hxxp:  (slash)   (slash) (slash) irrigated (slash) bewaring.js
hxxp:  (slash)   (slash) (slash) mortician (slash) amicably.js
hxxp:  (slash)   (slash) (slash) curries (slash) searchlights.js
hxxp:  (slash)   (slash) (slash) cesar (slash) viewers.js
hxxp:  (slash)   (slash) (slash) doyen (slash) undermining.js
hxxp:  (slash)   (slash) (slash) trespasses (slash) earthly.js
hxxp:  (slash)   (slash) (slash) desultory (slash) interrelated.js
hxxp:  (slash)   (slash) (slash) hastening (slash) contemporaries.js
hxxp:  (slash)   (slash) (slash) howe (slash) corsets.js
hxxp:  (slash)   (slash)  SNC.NO-IP.ORG (slash) drywalls (slash) liquefy.js
hxxp:  (slash)   (slash) (slash) hollyhocks (slash) propels.js
hxxp:  (slash)   (slash)  034ED86.NETSOLHOST.COM (slash) lodestone (slash) shilled.js
hxxp:  (slash)   (slash) (slash) furious (slash) zygotes.js
hxxp:  (slash)   (slash) (slash) enchanted (slash) handel.js
hxxp:  (slash)   (slash) (slash) spitfires (slash) winks.js
hxxp:  (slash)   (slash) (slash) churchyard (slash) wealthy.js
hxxp:  (slash)   (slash) (slash) skited (slash) menages.js
hxxp:  (slash)   (slash) (slash) andre (slash) fastidiously.js
hxxp:  (slash)   (slash) (slash) bawls (slash) cubbyholes.js
hxxp:  (slash)   (slash) (slash) executrix (slash) straps.js
hxxp:  (slash)   (slash) (slash) phrasings (slash) vehicle.js
hxxp:  (slash)   (slash) (slash) conduces (slash) garrote.js
hxxp:  (slash)   (slash) (slash) househusbands (slash) piing.js
hxxp:  (slash)   (slash) (slash) instruction (slash) propounds.js
hxxp:  (slash)   (slash) (slash) dracula (slash) archenemy.js
Each of those actually does a "document location" to forward you to the actual phishing page, which was hosted on five different URLS: hxxp: (slash) (slash) (slash) americanexpress (slash)
hxxp: (slash) (slash) (slash) americanexpress (slash)
hxxp: (slash) (slash) (slash) americanexpress (slash)
hxxp: (slash) (slash) (slash) americanexpress (slash)
hxxp: (slash) (slash) (slash) americanexpress (slash)

The Phish Itself

Here's a walk-through of the five page phish.

(Each of those three pages actually had this footer on the bottom! Good to see they included a link to the Fraud page at AmEx!)

When you were finished, you got a friendly thank you . . . letting you know your certificate was all set up . . .

and then got forwarded to the real AmEx page:


  1. Michael T.11:23 AM

    These are the kind that scare me. Totally understandable for an end user to be tricked by this.

  2. Anonymous4:08 PM

    Gotta give 'em props for being innovative, I guess...

  3. I enjoyed your talk on this at Thursday's ISACA/ISSA/Infragard luncheon so I wanted to read the rest. Malware forensics is what really has my interest and passion right now. Thanks.

  4. Anonymous11:25 AM

    The scariest part to me is "Note: You will be redirected to s secure encrypted website." That will surely take many careful people off their guard.


Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.