Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

Amex goes phishing

From: David Farber <dave () farber net>
Date: Thu, 22 Jan 2009 18:06:07 -0500


Begin forwarded message:

From: "James J. O'Donnell" <provost () georgetown edu>
Date: January 22, 2009 5:36:54 PM EST
To: David Farber <dave () farber net>
Subject: Amex goes phishing

Dave, I kid you not.

Got messages on various accounts over the weekend from American
Express to tell cardholders that their 2008 year-end statement is
online.  Just click on this address, it said, giving an address.  If
you mouse-overed the address, a different address appeared in the
status bar, and if you clicked on the address, you went to a third
uniquely different address.  I did so, on a machine that could be
cleaned if it were compromised, twice.  What I found when I got there
is that after you clicked on the nonconforming link, you went to a
page that asked you to input credit card information:  either your
existing login/password for the amex site *or*, if you didn't have
login/pwd yet, to input your actual credit card information including
card number, expiry date, and 4-digit "security code".

Now I believe that the message was in fact legit:  came from Amex and
led you to a site that was what it said it was.  What gobsmacked me
was that Amex was using classic phishing technique to get you to their
site, and asked you once there to engage in *exactly* the behavior
that we tell everybody not to behave in.

So what happened?  Today we got two messages that obviously responded
to the incomplete logins yesterday -- alerts to tell us that there was
a problem with that account due to multiple attempted logins and
asking us to login to the site to check and confirm information there.
The "security messages" took exactly the same form:  please click on
this inconsistent URL and when you get to the page referenced, go
ahead and input confidential information.

I phoned Amex and nobody on their standard phone lines understood the
issue, but they got me eventually to corporate in NYC and I spoke to
someone in "investigations" who got what I was saying instantly and I
could hear him shaking his head.  He said he'd get on it.

Jim O'Donnell
Georgetown




-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com
Previous By Date Next
Previous By Thread Next

Current thread: