American Express Customers: The Novel Phishing Attack


In a recently protected emailbox with Microsoft’s Office 365 Advanced Threat Protection (ATP) from Cofense Phishing Defense Center researchers, a phish-in attack using a new technique to steal credentials from customers using American Express was found.

The campaign targeted both corporate and consumer cardholders with grammatical error phishing emails and a small but deadly twist, using the HTML component to hide malicious URLs from anti-spam solutions instead of a regular link to the landing page.

This allows the attackers to specify the base URL that must be used to divide the phished landing page into two separate pieces for all relative URLs. The hyperlink is only shown to the end of the malicious link without the domain used to host the landing page, so it also helps to hide from the destination.

“Because of a recent system maintenance the malicious mail asks the victim to check his or her personal information and says that failure to comply would lead to a’ temporal suspension’ of the account,” the report of Cofense says.

This induces the attackers to feel urgent, hoping that their victims are much less vigilant and lower their guard because they are not even thinking about clicking on the links they have opened otherwise.

The short-term panic of the target is a tactic that all scammers use to increase the chances of their victims becoming much more likely to make mistakes and less careful if sensitive information is being asked.

“The victim has to click on the link to verify,” Cofense says. The phishing page is hosted on a domain in an HTML tag, the domain being “the building block for every URL when a single tag is called down further on this page.” The malicious hyperlink redirects users to/44235538420 link that comes out. “At first, this looks like it might be a legitimate website but rather contains an integrated’ basic href’ URL, which leads to the phishing page.”


  • Cards – My account (a personally held American Express account)
  • Membership Rewards accounts
  • Merchant Accounts
  • American Express @ Work (corporate accounts


“This tactic helps the attacker to evade URL filters and gateway services that currently do not have the ability to combine these inert components into a scannable malicious URL,” the report says.

The real landing page to which the victims are sent is an American Express logon portal with four different types of AMEX accounts targeting crooks: “The widespread attack would be very effective when sent en masse, especially with a smart technology to avoid URL filters and email gatewa The following is showing clearly in the drop-down menu on the top left of the phishing page:Phishing landing page

Phishing landing page This is not the first time AMEX customers are targeting their credit card information and social security information, with two of them following American Express customers, as the Office 365 Threat Research team discovered in March.

In December, scammers using a credit card safety issue “hook” were using another AMEX-focused campaign to prompt the targets to open an attached HTML phishing form that returns the input information to the crooks.

It is also important to remember that companies, especially banks, do not request highly sensitive information via online formats. Online information forms are also necessary.

Further, it is strongly recommended that you contact the organization using a phone contact to confirm the contents of the email if you are receiving an email with links to websites that request personal information.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.