Phishing Grows Up?

This morning I got an email ostensibly from American Express, asking me to set up a ‘SafeKey’ to add an extra level of protection to my online purchases.

screen-shot-2016-11-18-at-9-24-57-am

 

It looks legit. One of the first things I do is hover my mouse pointer over the supplied link- often the link will say it goes to Amex but the tooltip that appears when you hover says something like http://nastymalware.com/fakeamexsite.html and you know it’s fake. This one goes to amexssafekey.com (don’t click on that by the way!)

That’s interesting, it’s not normal for these fakers to be able to create a website with the trademarked business name in it. Things become even more curiouser when I did actually click and go to the website, it looks like this-

screen-shot-2016-11-18-at-9-25-13-am

 

That looks pretty legit too, doesn’t it? So I figure I should check it out a bit more. I did a google search for ‘Amex Safe Key’ and find that it is a legit service. However, none of the legit Amex sites have any link back to the site that I suspect is phishing me. That’s not really great evidence, the site could be a new addition to the family, so what to do next?

I check the site again, and it does not have a secure connection! Aha, finally getting somewhere- when you see a legit site, it should have a little lock symbol next to the URL. You can then click on that lock to see the security certificate, and check its provenance. No lock means no secure HTTPS browsing, and that’s very suspicious for a banking site. And then- I noticed that the URL has an extra ‘S’ in it- amexs safe key- that could explain a lot!

The next thing I did was go back to the original email. If you open an email in Mac Mail and go to View/ Message/ All Headers it will show you a bunch of detail about who sent the email, and you can usually catch spoof emails here. This one says the emails came from amex-emails.com and also had a DKIM header, which infers that the email might be legit. We’re going around in circles here, so let’s check the domain registration

amex-emails.com          Registered with GoDaddy yesterday!
amexssafekey.com        Registered by ERANET INTERNATIONAL LIMITED 2 days ago!
americanexpress.com  Registered by CSCGlobal

Those top 2 domains are owned by a web of fake corporations in Russia and Hong Kong, looks like most of the registration info is likely to be fake. So we have finally figured out that the email is a phishing email. One more thing- let’s have some fun. I put in some obviously fake details- sometimes these sites will give you a success message but this one didn’t. When you input your details it stores them in a database to be used or sold later. This one kept telling me my login was incorrect, I suppose it gives the thieves more options if you keep on putting in your details!

Anyway, this is a REALLY professional looking phishing attempt- but do you know what made me suspicious? They sent it to one of my email addresses that American Express doesn’t have on record! D’oh……