American Express Impersonator Uses URL Shortener and Spoofed Email Address in Phishing Attack
In this credential phishing attack, threat actors impersonate American Express and email the target a notification regarding their credit card. Using a spoofed sender address and a subject line of “Credit had been paused”, the attacker claims that the recipient's access to their credit card has been suspended due to suspicious activity on their account. It prompts the recipient to verify their personal information and card details by logging in through a provided link. However, the link actually links to a phishing page designed to steal sensitive information. To obfuscate the true destination of the link, the attacker used a URL shortener. By exploiting the trusted name of American Express and the urgency of potential credit issues, the attacker hopes to compel the recipient to provide sensitive information without scrutinizing the email's legitimacy.
Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a spoofed email address, employs the use of a URL shortener to mask the true link destination, and lacks malicious attachments. Modern, AI-powered email security solutions recognize that the sender is unknown to the recipient, detect suspicious links in the message, and conduct advanced content analysis to correctly flag this email as an attack.
Phishing attempt impersonating American Express sent from a spoofed email address
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Spoofed Email Address: The attacker spoofs a legitimate email address, bypassing basic email verification checks and adding perceived authenticity.
- Use of URL Shortener: The link was shortened using TinyURL, which helps it pass link verification checks by masking the true destination.
- Absence of Malicious Attachments: By not including suspicious attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
How Did Abnormal Detect This Attack?
- Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.
- Suspicious Link Analysis: Abnormal's systems scrutinize the presence of a link leading to a suspicious domain, triggering deeper analysis for possible malicious intent.
- Content Analysis: The email's urgent message about the recipient's credit being paused is flagged by Abnormal as a common phishing tactic.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.