Attacker Impersonates American Express to Trick Targets into Downloading Malware in Password Reset Scam
In this malware attack, a threat actor impersonates American Express and emails the target a notification that their password has been changed. To increase the appearance of legitimacy, the attacker incorporates multiple elements of American Express’ official branding and sets the sender display name to “American Express.” They also use the email address “americanexpresssecure@send[.]com,” which, at first glance, appears genuine. The email directs the recipient to download an encrypted secure document titled "AmericanExpress_SecureFile[.]html" to restore their account access if they did not initiate the password reset. However, this HTML attachment likely contains malware designed to install malicious software on the recipient's device. By impersonating a known, trusted brand and creating a sense of urgency regarding unauthorized account access, the attacker aims to compel the target to act quickly and download the malicious payload.
Older, legacy email security tools struggle to accurately identify this email as an attack because it has a legitimate-looking domain, uses recognizable professional branding, and contains recognized links that will pass simple analysis. Modern, AI-powered email security solutions detect anomalies in the content, recognize that the email is sent from an unknown sender, and analyze attachments to correctly mark this email as an attack.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Legitimate-Looking Domain: The email is sent from a legitimate email domain “send[.]com”, making it less likely to be flagged by basic domain filters.
- Professional Branding: The email uses American Express logos and professional language that mimics official communications, making it harder for content-based filters to detect anomalies.
- Recognized Links: The email footer includes links to actual American Express URLs, which can lend an air of authenticity and pass through simple link verification checks.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Content Anomalies: The email's urgent message about a password change and the prompt to download an attachment (AmericanExpress_SecureFile.html) are flagged by Abnormal’s advanced content analysis algorithms.
- Unknown Sender Consideration: Abnormal recognizes that the email is coming from an unknown sender who has never had communication with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.
- Attachment Analysis: The suspicious nature of the HTML attachment (AmericanExpress_SecureFile.html) prompts Abnormal’s automated systems to flag the email for potential malicious content.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.