The credit card and travel services company has issued a warning about what it calls a false "security measures" pop-up screen that appears when users log in to its secure site.
In an alert posted online, the New York-based company included a screenshot of the pop-up, which tries to lure the user into entering name, social security number, mothers maiden name and date of birth.
"Please note that this fraudulent activity may be the result of a computer virus and is not a part of the American Express website. If you received this pop-up box, your computer may have this virus," the company warned.
Security researchers tracking malicious Internet activity say the fake pop-up is a classic example of a banking Trojan targeting specific financial institutions, even when the user is surfing on a secure, authenticated Web site.
Phishers and identity thieves thrive on tricking users into visiting fake, look-alike Web sites, but the latest discovery shows just how sophisticated the threat has become, said Roger Thompson, chief technology officer at Exploit Prevention Labs, a security research company in Atlanta.
"These banking Trojans are scary. They infect the machine, inject a BHO [browser help object] into Internet Explorer, and use ActiveX magic to wait until the victim goes to the American Express site. Then, they spring the fake pop-up and grab the information," Thompson said.
"Weve seen these banking Trojans mostly targeting South American banks. This is the first Ive heard of American Express being targeted," he said.
The threat from sophisticated banking Trojans isnt exactly new. Earlier this year, researchers at Websense Security Labs discovered a password-stealing Trojan that used sophisticated DNS (Domain Name System) redirection techniques to dodge server shutdowns and hijack online banking data.
In that attack, users of more than 100 financial institutions in the United States and Europe, including Bank of America, HSBC, Barclays Bank and Lloyds TSB, were targeted. The Trojan was programmed to modify the contents of host files on infected machines to serve up fake banking sites that move from server to server to avoid shutdowns.
An example of a banking Trojan is PWSteal.Bancos, a family of malware that mimics the interface of certain banks to hijack passwords and other sensitive information from users.
The Trojans are typically spammed as attachments or URLs to malicious Web sites and silently infect unpatched computers running without anti-virus protection.
The fake pop-up is then generated from the Trojan and does not reflect a compromise at the banks site, Thompson explained. Once a user is tricked into entering confidential data, the Trojan is programmed to transmit the information to a remote server controlled by the attacker.
"Its slick and cunning," Thompson said.