Email security, Vulnerability Management, Threat Management

Credential phishing attack targeted 16,000 emails at nonprofit agency

American Express introduced a new global brand platform.
Amorblox researchers detailed a sophisticated phishing attack that targeted employees at a large international nonprofit involving the American Express credit card brand. (Photo by Bryan Bedder/Getty Images for American Express)

Researchers have uncovered an effective recent phishing attack where the fraudster claims to be the prominent charge card brand American Express, and demands that cardholders open an attachment and contact the card company immediately regarding the cardholder’s account, according to a Thursday research post from Armorblox.

“Attackers took advantage of the loyalty and trust victims have in the brand, American Express, in an attempt to steal confidential information,” according to the post, referencing the email spoofing of the well-regarded card brand.

According to Armorblox, the email attack looked like a “legitimate notification email from American Express (AmEx) that included an attachment informing recipients that an account verification was mandatory; otherwise, the account would be suspended.”

However, the main link, within the email attachment message, navigated to a fake American Express-branded landing page that prompted victims to sign in to verify the account, which of course puts cardholders right where scammers want them.

Credential phishing is the most prominent attack type we see against financial firms,” said DJ Sampath, co-founder and CEO of Armorblox. “This zero-day attack contained a malicious URL within the attachment, and protecting against this type of targeted attack is two-fold.”

Attackers used a known domain to launch this attack, Sampath said. However, since legacy and native email security solutions predominantly stop mass phishing attacks that originate from known malicious domains, many companies do not have the capabilities to stop these sophisticated attacks, he pointed out.

“Additionally, zero-day attacks require more advanced techniques such as computer vision-based website forensics,” Sampath added.

So far, bypassing Google Workspace security, at least 16,000 email addresses for employees at a large international nonprofit agency have been targeted by this attack. Since American Express is popular with business users, who are often issued their charge card by their employer, this tactic plays to the cardholder’s fear that they might run afoul of their business’s rules regarding expenses and reimbursement.

The scam utilizes social engineering, as well as brand impersonation, spoofed landing pages and malware, according to Armorblox, which altogether makes the ruse seem very realistic.

The subject line of these fraudulent emails or texts typically read, “Important Notification About Your Account,” which Armorblox research pointed out, “creat[es] a sense of urgency within the victim that this email is important and should be opened immediately. Once opened, the email looked like a legitimate email communication from American Express, with the information within the email body including directions on how best to view the secure, encrypted message attached.”

After opening the attachment, cardholders are asked to provide additional verification information for their charge card account.

Bad actors create even greater urgency by saying to their victims: “This is your last chance to confirm it before we suspend it.” This often motivates cardholders, especially with bank cards issued by an employer, to walk through the authentication process.

“Vendor compromise and supply chain attacks are the biggest threats to financial firms,” Sampath said. “And successful attackers can do extended damage to the organization’s reputation and financial standing.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.