Please Activate Your Personal Security Key American Express Phishing

Phishing Scam

A bit of a weird  set of emails has been received this afternoon. The subject is  Please activate your Personal Security Key coming from American Express <welcome@amex-mails.com>

Additional sending addresses so far found include  Amex-mails.com  |  amexmails.com  | amex-emails.com  | amexmails.com were all  registered today by surprise, surprise Godaddy,com They currently do not have an IP number associated with them. When they were received, the emails came from

172.99.87.130  San Antonio Texas US AS27357 Rackspace Hosting
Received: from [172.99.87.130] (port=58359 helo=amex-mails.com)
	by knight.knighthosting.co.uk with esmtp (Exim 4.87)
	(envelope-from <welcome-xerox.517=thespykiller.co.uk@amex-mails.com>)
	id 1c7NqA-0002bP-Uh
	for xerox.517@thespykiller.co.uk; Thu, 17 Nov 2016 14:39:03 +0000
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key; d=amex-mails.com;
 h=Mime-Version:From:Date:To:Subject:Content-Type:Message-ID;
 bh=PMmSQu6y8k0WmHCkurDSmIBUEuM=;
 b=RuZZ64Kk9qfOJBsfKGb0sZmMIFHs1izi5ff59jp/vKQjvpF6B7YUrVdSCuw6T0mHB6sojuYaawiI
   odcgdicy6R1QStQOoPSeT/VHgQcvqa5rutaNZyEbVIzgqgJmhO2NMsHL9iQoyeJNQDgv2iOA6x/U
   m1rFOecmFmPZABkQgC3c6B5u2mV++w9NahM0ZkkgyZkNvYblFszVShwsYajSjzbxtt3X7i4YnyIz
   CJLG4OlZWoqsGBM936+Kb9s0P8RvN0A9/x/6fl3c1Cz5/LW6pkqnUmpPAkQKzeKu3y2Y3JpViLur
   Z4U3N3zTxF2YMBR+yal5qKgYZ73s6woBgG25dw==
Received: by amex-mails.com id h5n0ggbdd9op for <xerox.517@thespykiller.co.uk>; Thu, 17 Nov 2016 09:35:53 -0500 (envelope-from <welcome-xerox.517=thespykiller.co.uk@amex-mails.com>)
Mime-Version: 1.0
From: "American Express" <welcome@amex-mails.com>
Date: Thu, 17 Nov 2016 09:35:53 -0500
To: xerox.517@thespykiller.co.uk
Subject: Please activate your Personal Security Key
Content-Type: multipart/alternative;
 boundary=e86876e43ac098a80f7db008632bf2db
Message-ID: <0.0.0.0.1D240DFE65DAF72.31CB3607@amex-mails.com>
Contents
--e86876e43ac098a80f7db008632bf2db

The weird thing is the emails appear blank when opened in Outlook, but using view source I can see the email in its full glory, including the links to click to get to the phishing site. A plain text version is

SafeKey Logo

Please activate your Personal Security Key

American Express SafeKey is an authentication service that provides an additional layer of fraud protection. This service is part of our continuous efforts to increase account security. Beginning April 2016, you may be asked to enter a One-Time Code or other verification information to complete a purchase.

As a Card Member you are enrolled in American Express SafeKey, so you just need to take one additional step to benefit from this security feature. You may update your contact information during the SafeKey create process, through your online account.

To create your American Express SafeKey please click the button bellow

Create SafeKey <http://aexpsafekeys.com>

Note: You will be redirected to a secure encrypted website.

The contained message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.

Thank you,

American Expres

This is a customer service e-mail from American Express. Using the spam/junk mail function may not block servicing messages from being sent to your email account. To learn more about e-mail security or report a suspicious e-mail, please visit us at americanexpress.com/phishing. We kindly ask you not to reply to this e-mail but instead contact us securely via customer service.

Copyright 2016 American Express. All rights reserved.

A screenshot of the html is

Alternative links in emails go to http://amexsafekeys.com/  |   http://americanexpressafekey.com   |   http://amex-mails.com  | http://amexmails.com

aexpsafekeys.com was registered yesterday 16 November 2016 and hosted on these IP addresses 95.163.127.249 188.227.18.142 which look like they belong to a Russian network

http://amexsafekeys.com/ was also registered yesterday by the same Russian name and hosted on same IP addresses  188.227.18.142 95.163.127.249

http://americanexpressafekey.com  also registered yesterday  same IP addresses

Following the link to aexpsafekeys.com, you get a typical phishing page like this, where they want all the usual information about you, your family and bank /credit cards etc.