Phishing is a well known attack vector, often used by cyber criminals to steal sensitive information like authentication credentials, credit cards, personal information, etc. As the Thanksgiving and holiday shopping season approaches, we are anticipating a sharp rise in cyber scams and phishing campaigns.
We wanted to share a recent phishing campaign targeting American Express users in this post. Below are the domains and IP addresses involved in this campaign:
hxxp://agericam-exprezs[.]com : 91.185.215[.]137
hxxp://amepigan-extuezs[.]com : 146.0.72[.]188
Screenshots below show an American Express site, which has been mirrored on the mentioned domains:
It will accept any credentials and further redirect the user to another fraudulent page asking for sensitive information like their Social Security Number (SSN), Date of Birth, etc. as seen below:
After phishing for user credentials and personal information, the cyber criminal then asks for the credit card details on the following page:
The phishing site sends all the stolen information to a remote server at 94.23.250[.]137 and redirects the user to the original American Express site.
It is extremely important for the users to carefully examine the URL in their browser as well as SSL certificate information in order to avert such phishing attempts.