The NJCCIC observed multiple phishing campaigns aimed at financial gain. In one campaign, users receive a phishing email impersonating American Express that claims a large amount of earned reward points are about to expire. The messages include a URL that directs to a fake American Express authentication page designed to steal user credentials. Any credentials entered will be forwarded to the threat actors behind the campaign using the “CoAceV” phishing kit.

This kit was first observed near the end of April 2025 and has primarily targeted users in Japan. It also shares similarities with the “CoGUI” and “Darcula” phishing kits. CoAceV phishing kit employs advanced evasion techniques, such as geofencing, header fencing, and fingerprinting, to bypass automated defenses and analysis. These methods enable the kit to target specific geographical regions while bypassing security measures, making it a significant threat to users in targeted countries.

A second campaign was observed that mimics an out-of-storage notice. To imply urgency, messages contain the subject line “Access Denied: Account Locked.” If the user clicks the link in the email, they are directed to a site that claims their files are at risk and requests payment for additional storage. A countdown timer labeled “Time until deletion” is displayed to convince users to act quickly.

Recommendations

• Exercise caution with communications from known senders or legitimate platforms.
• Confirm requests from senders via contact information obtained from verified and official sources before taking action, such as clicking on links or opening attachments.
• Navigate directly to legitimate websites and verify before submitting account credentials, providing personal or financial information, or downloading files.
• Enable multi-factor authentication (MFA) and keep systems and browsers up to date.
• If sensitive information was entered, change passwords for compromised accounts, monitor for unauthorized activity, and review the Identity Theft and Compromised PII NJCCIC Informational Report for additional recommendations and resources, including credit freezes.
• Users who submitted credit card information to these webpages are advised to contact their banking institutions to cancel their credit cards and identify fraudulent purchases.
• Report malicious cyber activity to the NJCCIC and the FBI’s IC3.