AmEx users targeted with well-crafted phishing scheme

A rather well-executed phishing campaign is targeting American Express users via fake “Fraud Alert: Irregular Card Activity” emails impersonating the AmEx Fraud Departement, warns Gary Warner.

“We detected irregular card activity on your American Express,” it says. “As the Primary Contact, you must verify your account activity before you can continue using your card.”

The email offers a link that seemingly points to AmEx’ official website, and urges potential victims to update their account information within 24 hours if they don’t want to have access to their accounts restricted.

Unfortunately, the link leads to one of 419 different URLs hosted on compromised servers, and via a Java Script file finally redirects users to the fake AmEx account settings website.

The victims are asked to enter their user ID and password, Social Security number, birth date, their mother’s maiden name, her birth date, and the PIN associated with the card. On the next page, they are told to enter the card number:

Finally, they are instructed to share the expiration date and the 3-digit security code on the back of their card.

The hapless victim is then “given” 5,000 bogus reward points and redirected to AmEx’ legitimate site. Needless to say, the information he or she entered has been sent to the phishers and will be used to make unauthorized purchases or will be sold to other crooks who will do the same.

If you have fallen for this scheme, contact American Express immediately so that they can block and revoke your card. If you’re lucky, the money in your account is still there or will be refunded by the company if it’s not.


Subscribe to the Help Net Security breaking news e-mail alerts:

More about

Don't miss