In recent days, an unusually well-crafted phishing attack has been launched against American Express cardholders. The scam appears to be an improved version of a prior phishing campaign first seen this past March, and impersonates American Express so well, and with such devious messaging, that it may successfully bait many people who might normally detect and avoid other phishing attacks.
In the new scam, targeted users receive an email message allegedly from American Express (in at least one variant the return address appears to targets as AmericanExpress@welcome.aexp.com) advising the recipient to protect him or herself from fraud and phishing by establishing an "American Express Personal Safe Key (PSK)" to improve the security of their accounts. The email is well written and formatted like an American Express email; unlike some of the prior versions, it contains no mislabeled links (i.e., links whose text description contains link code that does not match the actual link).
The email contains a link on the bottom to "Create a PSK" -- and users who click the link are directed to a phony American Express login page on a site at the legitimate-sounding http://amexcloudcervice.com/login/ (it is hard to notice the spelling error -- did you?). While the lack of HTTPS should also alert some people to the likelihood of something amiss, and any browser that colors URL bars based on the use of encryption will obviously not do so in this case, as I discussed in a paper co-authored with Shira Rubinoff a decade ago, many people focus entirely on the contents of browser windows and do not pay attention to security clues in browser infrastructure.
After providing login information to the phony American Express page -- and regardless of whether the login information is correct -- users are presented with real- looking pages for them to enter card numbers, card expiration dates, card four-digit CVV code, their Social Security numbers, birth dates, mothers' maiden names, mothers' birth date, date of birth, and email addresses. All of the requests for information appear in an interface that mimics that of the legitimate American Express website, with only minor, hard-for the-novice-to-notice flaws. Of course, someone might realize there is no reason for American Express to ask for some of this information -- the firm obviously knows your card numbers once you log in -- but many people have been de facto trained by credit card companies to answer such questions, having been asked to type or recite their numbers and answer all sorts of security questions when calling the providers by telephone.
There have, of course, been other phishing emails targeting American Express customers (as there have been against holders of other credit cards), and, as mentioned previously, even some that exploit the SafeKey security technology offered by American Express for extra trickery. (Did you notice that the phishing email incorrectly separated SafeKey into two words?)
Despite several errors that information-security professionals may find glaring (did you notice the missing © symbol at the bottom?), the current attack does seem well crafted, and, therefore, more likely than many to trick American Express customers, most of whom obviously do not deal with phishing attacks as part of their jobs.
It should also be noted that shutting down phishers is difficult -- unless the perpetrators themselves are caught, even if phishing systems are taken down, it is simple for the criminals to relaunch attacks using new servers. And it isn't that hard for other criminals to copy the phishing interface, add a little code, and launch their own attacks from other servers as well.
So, how should you protect yourself?
Here are some suggestions:
- Never log in to a sensitive site by clicking a link in any message, webpage, or document. Type the link.
- If you receive a communication from a bank or credit card company, call them back at the number on the back of your ATM/debit/credit card.
- Never read email -- or use sensitive websites -- on a device that does not have security software with updates being applied regularly and automatically.
- If you did click a link in a potentially dangerous email, shut the browser, disconnect your computer from the internet, and run a malware scan. Ideally, keep the machine off for several days, then download updates and run it again. This approach is by no means perfect, but it might reduce damage if your system became infected by malware.
- Of course, financial institutions should consider using technology such as Green Armor's Identity Cues (For full disclosure -- I co-invented that technology and am the founding CEO of the firm) that make it easy for people to know whether they are accessing a legitimate site or a phisher's clone.
The bottom line: criminals are continuously getting better at crafting phishing emails
-- so be prepared.