The NJCCIC’s email security solution detected a new credential and card harvesting phishing scheme impersonating American Express. Several subject lines were utilized in this campaign:

• Account Restricted: Your email has been changed
• “Dispute Alert “ Woo! Your credit has posted
• Merchant Credit Posted On Your Account
• Please update your income

Upon clicking the provided link, users are redirected to a webpage imitating an American Express login page. While this webpage may appear legitimate, the incorrect domain is a red flag. If any credentials are entered on this landing site, they will be captured and forwarded to the threat actors behind this attack.

The final layer of this attack is an attempt to harvest credit card information. This landing page claims to be a final verification step to confirm the user’s identity, but the threat actors will also capture any information provided.

Recommendations

• Confirm requests from senders via contact information obtained from verified and official sources.
• Type official website URLs into browsers manually.
• Only submit account credentials and payment information on official websites.
• Refrain from clicking links delivered in unverified emails.
• Ensure MFA is enabled for all online accounts.
• Credentials used to log into malicious apps should immediately be changed.
• If payment information was submitted to a malicious website, notify the banking institution immediately and request a new payment card.