Why is this important: An email security firm has published a blog post detailing a phishing attack targeting unsecured American Express and Snapchat sites. The identified exploit uses a known open redirect vulnerability that allows hackers to specify a redirect URL, driving traffic to fraudulent sites designed to steal user information.
Maryland-based security firm INKY Security tracked attack activity related to the vulnerability from mid-May through mid-July. The phishing attack leverages a known open redirect vulnerability (CWE-601) and popular brand recognition to trick and harvest credentials from unsuspecting Google Workspace and Microsoft 365 users.
The attacks targeted unsecured Snapchat and American Express sites. Snapchat-based attacks resulted in over 6,800 attacks over a two-and-a-half-month period. Attacks based on American Express were much more effective, affecting over 2,000 users in just two days.
Malicious actors took advantage of open redirect vulnerabilities affecting AMEX and Snapchat domains to send #Phishing emails targeting Google Workspace and Microsoft 365 users.” https://t.co/bTG2b7dLWY
— INKY (@InkyPhishFence) August 4, 2022
Snapchat-based emails led users to fraudulent DocuSign, FedEx, and Microsoft sites to harvest user credentials. The Snapchat open redirect vulnerability was initially identified by openbugbounty over a year ago. Unfortunately, the exploit still seems unanswered.
American Express appears to have patched the vulnerability, which redirected users to an O365 login page similar to that used by Snapchat-based attacks.
This specific phishing attack uses three main techniques: brand impersonation, credential harvesting, and hacked accounts. Brand recognition relies on recognizable logos and brands to create a sense of trust with the potential victim, which leads to the user’s credentials being captured and collected on the fraudulent site. Once harvested, hackers can sell the stolen information to other criminals for profit or use the information to access and obtain the victim’s personal and financial information.
Open redirect vulnerabilities do not tend to receive the same level of care and attention as other identified exploits. Moreover, most of the risks are exposed to the user rather than the owner of the site. The blog post provides additional information and tips to help users stay safe and keep their data out of the wrong hands. These tips help users identify key terms and characters that can indicate whether a redirect is occurring from a trusted domain.
Image credit: INKY Security