Skip to content
Home » News » Unveiling American Express Phishing Scams: MerkleFence Analysis Insights: Part 2

Unveiling American Express Phishing Scams: MerkleFence Analysis Insights: Part 2

Determining the Scope of the Phishing Campaigns

To better understand the scope of these phishing campaigns, we investigated the IP address and email address associated with the malicious activities.

IP Address Analysis:

The IP address 191.252.0.9 used by the attacker was analyzed using IPinfo.io, which revealed that it is hosted by AS27715 Locaweb Servicos de Internet S/A, an internet service provider based in São Paulo, Brazil.


This information suggests that the attacker may be operating from or targeting users in Brazil. However, it’s important to note that IP addresses can be spoofed, and the attacker’s true location may differ.

Email Address Analysis:

Analysis of the email address [email protected] using Simple Email Reputation revealed that it has a “RISKY” reputation.

The domain secure.net has a low reputation, and the email address lacks a digital presence on major services like LinkedIn, Facebook, and iCloud, which is typically suspicious. This finding corroborates our initial assessment that the attacker spoofed the secure.net domain to send phishing emails, taking advantage of the lack of proper email security controls.


Further analysis using IPQS revealed more concerning insights:

This is an overall fraud score in the context of online user or customer screening (e.g. automated webshop checkout validation). According to IPQS: ‘Fraud Scores >= 75 are suspicious, but not necessarily fraudulent.’ IPQS recommends ‘flagging or blocking traffic with Fraud Scores >= 85.’


The IP address 191.252.0.9 has a high fraud score of 87, recommended for flagging or blocking traffic according to IPQS.


The email address has a fraud score of 80, considered suspicious.


Maltego Graph:

The Maltego graph visually maps the relationships between the various indicators of compromise (IOCs) associated with the phishing campaign.


Identifying Potential Victims:

Based on the information gathered, the potential victims of these phishing campaigns could include:

  1. American Express customers, and they were targeted by attackers operating from Brazil or routing traffic from that region.
  2. Individuals and organizations with weak email security measures, making them vulnerable to spoofing attacks.
  3. Users who lack awareness about phishing tactics and fail to identify the red flags in the malicious emails.

Actions for Organizations to Safeguard Against Phishing Threats:

To protect against phishing threats like the one analyzed, organizations should take the following steps:

  1. Implement robust email security controls, including SPF, DKIM, and a strong DMARC policy to prevent email spoofing and unauthorized sender impersonation.
  2. Regularly educate employees on identifying phishing emails, recognizing red flags, and reporting suspicious activities.
  3. Deploy advanced email filtering and threat detection solutions that can identify and block phishing attempts before they reach users’ inboxes.
  4. Encourage the use of multi-factor authentication (MFA) for all critical accounts and services to mitigate the risk of credential theft.
  5. Maintain updated cybersecurity policies and incident response plans to effectively respond to and recover from potential phishing attacks.
  6. Collaborate with cybersecurity firms, law enforcement agencies, and industry partners to share threat intelligence and stay informed about emerging phishing tactics.
To safeguard yourself and your company against phishing attacks, it’s crucial to educate all employees about the indicators of phishing and establish a transparent reporting process for such attempts. Additionally, it’s imperative to ensure that your company implements email security measures to prevent your domain from being spoofed and used to distribute phishing emails. Protect your organization from phishing threats with MerkleFence. Talk to Us.