My next class:

Fake American Express Alerts

Published: 2013-08-02. Last Updated: 2013-08-02 16:20:31 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

Right now we are seeing fake American Express account alerts. The alerts look very real, and will trick the user into clicking on a link that may lead to malware. As many of these attacks, the exact destination will heavily depend on the browser used.

Antivirus does recognize the intermediate scripts as malicious and should warn the user if configured to inspect web content.

fake american express notification

(click on image for full size)

------
Johannes B. Ullrich, Ph.D.

SANS Technology Institute
Twitter

5 comment(s)
My next class:

Comments

http://techhelplist.com/index.php/spam-list/293-account-alert-recent-charge-approved-malware

links go to cracked sites. simple html file calls 3 javascript files hosted at more cracked sites.

those js scripts just redirect to a 3rd site, that does user agent detection at least and can send you an obfuscated js html response, try to run a java applet and maybe redirect to yet another site.

the "moneygram payment notification" malware series followed up the same thing with a fake Adobe flash player download for a zbot trojan.
http://techhelplist.com/index.php/spam-list/292-payment-notification-email-fake-moneygram-with-malware
Thanks! That sounds just like the AMEX scam (and so many before that :( ). FWIW: If you get a 501/502 error ("Gateway Timeout"), it means that your user agent was detected as fake (e.g. wget).
We are seeing this in our environment now. We sent the URLs to Websense to block as malicious and set a copy to AMEX (but I am sure they are aware)
Thanks!
We too received this in our environment. A total of 81 successfully delivered to users, over 1000 blocked by our anti-spam solution once our operations team updated our signatures.

The links we saw within the email all pointed to a number of Italy domains (.it). Searching on Pastebin (http://pastebin.com/TJc6wwjN), I found a post listing the sites as being compromised back in June.

Diary Archives