A bit of a weird set of emails has been received this afternoon. The subject is Please activate your Personal Security Key coming from American Express <email@example.com>
Additional sending addresses so far found include Amex-mails.com | amexmails.com | amex-emails.com | amexmails.com were all registered today by surprise, surprise Godaddy,com They currently do not have an IP number associated with them. When they were received, the emails came from
|188.8.131.52||San Antonio||Texas||US||AS27357 Rackspace Hosting|
Received: from [184.108.40.206] (port=58359 helo=amex-mails.com) by knight.knighthosting.co.uk with esmtp (Exim 4.87) (envelope-from <firstname.lastname@example.org>) id 1c7NqA-0002bP-Uh for email@example.com; Thu, 17 Nov 2016 14:39:03 +0000 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key; d=amex-mails.com; h=Mime-Version:From:Date:To:Subject:Content-Type:Message-ID; bh=PMmSQu6y8k0WmHCkurDSmIBUEuM=; b=RuZZ64Kk9qfOJBsfKGb0sZmMIFHs1izi5ff59jp/vKQjvpF6B7YUrVdSCuw6T0mHB6sojuYaawiI odcgdicy6R1QStQOoPSeT/VHgQcvqa5rutaNZyEbVIzgqgJmhO2NMsHL9iQoyeJNQDgv2iOA6x/U m1rFOecmFmPZABkQgC3c6B5u2mV++w9NahM0ZkkgyZkNvYblFszVShwsYajSjzbxtt3X7i4YnyIz CJLG4OlZWoqsGBM936+Kb9s0P8RvN0A9/x/6fl3c1Cz5/LW6pkqnUmpPAkQKzeKu3y2Y3JpViLur Z4U3N3zTxF2YMBR+yal5qKgYZ73s6woBgG25dw== Received: by amex-mails.com id h5n0ggbdd9op for <firstname.lastname@example.org>; Thu, 17 Nov 2016 09:35:53 -0500 (envelope-from <email@example.com>) Mime-Version: 1.0 From: "American Express" <firstname.lastname@example.org> Date: Thu, 17 Nov 2016 09:35:53 -0500 To: email@example.com Subject: Please activate your Personal Security Key Content-Type: multipart/alternative; boundary=e86876e43ac098a80f7db008632bf2db Message-ID: <0.0.0.0.1D240DFE65DAF72.31CB3607@amex-mails.com> Contents --e86876e43ac098a80f7db008632bf2db
The weird thing is the emails appear blank when opened in Outlook, but using view source I can see the email in its full glory, including the links to click to get to the phishing site. A plain text version is
Please activate your Personal Security Key
American Express SafeKey is an authentication service that provides an additional layer of fraud protection. This service is part of our continuous efforts to increase account security. Beginning April 2016, you may be asked to enter a One-Time Code or other verification information to complete a purchase.
As a Card Member you are enrolled in American Express SafeKey, so you just need to take one additional step to benefit from this security feature. You may update your contact information during the SafeKey create process, through your online account.
To create your American Express SafeKey please click the button bellow
Create SafeKey <http://aexpsafekeys.com>
Note: You will be redirected to a secure encrypted website.
The contained message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.
This is a customer service e-mail from American Express. Using the spam/junk mail function may not block servicing messages from being sent to your email account. To learn more about e-mail security or report a suspicious e-mail, please visit us at americanexpress.com/phishing. We kindly ask you not to reply to this e-mail but instead contact us securely via customer service.
Copyright 2016 American Express. All rights reserved.
A screenshot of the html is
Alternative links in emails go to http://amexsafekeys.com/ | http://americanexpressafekey.com | http://amex-mails.com | http://amexmails.com
aexpsafekeys.com was registered yesterday 16 November 2016 and hosted on these IP addresses 220.127.116.11 18.104.22.168 which look like they belong to a Russian network
http://amexsafekeys.com/ was also registered yesterday by the same Russian name and hosted on same IP addresses 22.214.171.124 126.96.36.199
http://americanexpressafekey.com also registered yesterday same IP addresses
Following the link to aexpsafekeys.com, you get a typical phishing page like this, where they want all the usual information about you, your family and bank /credit cards etc.