Unprotected Snapchat and Amex sites lead to credential harvesting

Open-Redirect vulnerabilities in American Express and Snapchat are being exploited to conduct phishing scams, researchers have revealed.

Scammers exploit open redirect vulnerabilities in new phishing campaign targeting Microsoft 365 and Google Workspace users. These vulnerabilities mainly impact the American Express and Snapchat domains.

The open redirect is a security hole. This occurs when a website cannot validate user input, through which threat actors can manipulate URLs from reputable domains and redirect victims to malicious pages.

Phishing emails using open redirect vulnerabilities

According to a report from INKY, automated URL redirects used by Snapchat and American Express to lure users to their websites were hijacked to steal credentials.

Attackers send phishing emails and include PII (Personally Identifiable Information) in the URL to quickly personalize malicious landing pages and disguise them as PII by converting them to Base 64.

Therefore, the information turns into a sequence of random characters. INKY’s report further revealed that they observed threat actors hijacking unpatched redirect vulnerabilities on Snapchat and American Express domains between May and July.

What makes the attack effective?

A trusted domain such as Snapchat serves as a temporary landing page, after which the visitor is redirected to a malicious URL. The original site link is the first domain of the modified link, which seems safe to unsuspecting users. Since the legitimate websites/URLs used by trusted brands are used in the scam, the attack is effective.

“For example, where ‘safe.com’ is considered to represent a genuine domain and ‘malicious.com’ – a credential harvesting website, cybercriminals will insert safe.com/redirect?url=malicious.com to redirect victims to fake versions of Microsoft, FedEx and DocuSign login sites which then siphon their emails and passwords.

INK

In the Snapchat group, phishing emails used DocuSign, Microsoft, and FedEx decoys, allowing Microsoft credentials to be stolen.

Image: INKY

INKY engineers have identified more than 6,800 Snapchat phishing emails with the open redirect vulnerability over the past two months. Conversely, the American Express Open Redirect vulnerability was detected in more than 2,000 phishing emails in just two days in July.

Apparently American Express fixed the vulnerability, but Snapchat didn’t fix it even after a year after the company was notified of the issue by Open Bug Bounty.