AMEX Phisher Leaks Thousands of Victim IPs

Our discovery: whether the AMEX phisher realized or not, the IP addresses of over 4000 potential victims were publicly recorded by a url shortener.

Within a minute of buying an iced latte at a local coffee shop with my AMEX card, I received the following SMS on my iPhone:

phishing SMS

I usually get push notifications after my card is swiped, but this was an SMS and it looked phishy: “AmeexSeerve”. Specifically, there was a strange link from some URL shortener I’ve never heard of before: “http://bit.do”. Was someone trying to phish me?

Background: I am an MIT student with a research focus in Security/Crypto. I am also starting a cybersecurity company. Naturally, I was curious where this link led and the methods of the attackers. One of my co-founders, Kevin King, was getting coffee with me, so we both decided to take a deeper look and pulled out our laptops.

The Redirect to the Phishing Page

The bit.do link redirects to the following strange url 81.61.157.51.dyn.user.ono.com/serve/index.htm serving the following page:

phishing page

The page looks like a legitimate login page for AMEX Serve — except there is no SSL and the URL is not an AMEX URL. The assets link directly to the AMEX assets served through their CDN.

Note: Google Chrome blocked this as phishing site, Safari, however, did not.

> 4000 Phishees and Counting

We thought our simple dig was over until we decided to checkout the bit.do url shortener to see if we could learn more about the attack…and boy we sure did.

Bit.do seems to be legitimate as far as we can tell, but their privacy leaves something to be desired. Specifically, they have this nice “statistics” page which is publicly accessible to anyone with the short url.

Here is what the statistics summary looks like:

statistics for the short url

Over 4000 users were phished at the same time as me! We could even see the IP address and device type (iOS, Android, Desktop) of every visitor (not shown above). Most visits were within the Massachusetts area, a few from Ireland and Spain. It looks like the attack was highly localized to the MA and East Coast area.

As we were investigating, the number of visits kept growing. This was a recently executed attack! The short url was created at 11:54 am GMT-4, just about 1 hour before I got the phishing text.

just a snippet of the thousands of recorded IPs

Update: As we are writing this now, the bit.do link has been taken down. We censored the exact bit.do short url because it contained IP addresses of potential phishees which we thought not wise to share to the public.

Tracking the attacker

The attack was not very well hidden. In fact the url 81.61.157.51.dyn.user.ono.com/serve/index.htm shows exactly who to look for:

$ whois 81.61.157.51

Hopefully AMEX/Vodafone can pinpoint the user account and person hosting this phishing attack.

Thoughts on next steps for the AMEX security team

• Cross reference the IP addresses of the phished users with access logs to discover which accounts may have been compromised.
• Cross reference these accounts to the time and location of purchases made during the phishing attack.
• Use this data to determine if the attacker had more information than just the phone numbers of AMEX users. Was the attacker able to determine when AMEX users were making purchases?

Thanks for reading! It looks like the phishing game is still in full swing.

— Alex Grinman & Kevin King