American Express customers were targeted with a Novel Phishing attack for stealing customer credentials.
The scammers targeted both corporate and consumer cardholders with phishing emails full of grammatical errors but with a small but deadly twist: instead of using the regular hyperlink to the landing page trick, this one used the HTML element to hide the malicious URL from antispam solutions. This allows the attackers to specify the base URL that should be used for all relative URLs within the phishing message, effectively splitting up the phishing landing page in two separate pieces.
The malicious mail “asks the would-be victim to verify his or her personal information ‘Due to a recent system maintenance’ and says that failure to comply would lead to a ‘temporary suspension’ of the account,” says the Cofense report. “At first glance, this looks like it could be a legitimate site, but instead contains an embedded ‘base href’ URL which leads to the phishing page.” The phishing page is hosted on the domain used in the HTML tag, with the domain being the “building block for any URL when a href tag is called further down the page.”
“The victim is urged to click on the hyperlink: hxxps://www.americanexpress[.]com /cardmembersvcs/ app/ signin/ Update/ Verification,” says Cofense. “At first glance, this looks like it could be a legitimate site, but instead contains an embedded ‘base href’ URL which leads to the phishing page.”
The phishing page is hosted on the domain used in the HTML tag, with the domain being the “building block for any URL when a href tag is called further down the page.”
This is not the first time AMEX customers have been targeted by phishing campaigns with two of them going after American Express clients to steal their credit card and social security information as discovered by the Office 365 Threat Research team in March.