14 DAY TRIAL // Emails apparently originating from American Express have been landing in inboxes, asking recipients to verify their user IDs and reset their passwords. In reality, the notifications are part of a scheme designed to trick users into visiting a website on which the Blackhole exploit kit is hosted.
Usually when we think about malicious emails from financial institutions, we picture a shady form that requests credit card information and other private data. However, as we see in this particular scenario, security-themed alerts can be just as effective in serving malware.
“Did you recently verify your User ID or reset the password that you use to manage your American Express? Card account online? If so, you can disregard this email. To help protect your identity online, we wanted to be sure that you had made this request,” reads the email.
“If not, please click here, or log on to [Link] so we can protect your account from potential fraud. Thank you for your Cardmembership,” it continues.
Internauts who make the mistake of clicking on the link are taken to a site on which a “Please wait page is loading” alert is displayed. While the page is apparently being fetched, the victim is redirected to another domain that hosts the infamous exploit kit.
Once it finds itself on a system, Blackhole tries to exploit known vulnerabilities with the purpose of downloading other malicious elements.
To make everything even more legitimate-looking, the fraudsters have placed a number of links within the email, apparently all of them pointing to pages on americanexpress.com. Of course, none of them points to the genuine domain, but to a site controlled by the cybercriminals.
Keep your computer safe by ensuring that your security software and critical components are up-to-date at all times.