Why it matters: An email-focused security firm released a post detailing a phishing attack targeting unsecured American Express and Snapchat sites. The identified exploit runs on the known open redirect vulnerability which allows threat actors to specify a redirect URL, driving traffic to fraudulent sites made to steal user information.
Maryland-based security firm Inky Security tracked attack activity linked to the vulnerability from mid-May through mid-July. The phishing attack uses known open redirect vulnerability (CWE-601) and popular brand recognition to deceive and harvest credentials from unsuspecting Google Workspace and Microsoft 365 users.
The attacks targeted unsecured sites from Snapchat and American Express. Snapchat-based attacks led to a lot more than 6,800 attacks over a two-and-a-half-month period. The American Express-based attacks were a lot more effective, affecting over 2,000 users in only two days.
INKY (@InkyPhishFence) August 4, 2022
The Snapchat-based emails drove users to fraudulent DocuSign, FedEx, and Microsoft sites to harvest user credentials. Snapchat’s open redirect vulnerability was identified by openbugbounty greater than a year ago. Unfortunately, the exploit still is apparently unaddressed.
American Express seems to have remediated the vulnerability, which redirected users to an O365 login page like the one which the Snapchat-based attacks used.
This type of phishing attack uses three primary techniques: brand impersonation, credential harvesting, and hijacked accounts. Brand recognition depends on recognizable logos and trademarks to produce a sense of trust with the potential victim resulting in the user’s credentials being entered into and harvested from the fraudulent site. Once harvested, hackers can sell the stolen information to other criminals for profit or utilize the information to gain access to and acquire the victim’s personal and financial information.
Open redirect vulnerabilities don’t have a tendency to obtain the same degree of care and attention as other identified exploits. Additionally, most risk exposure is on an individual as opposed to the site owner. Your blog post provides additional background and guidance to greatly help users remain safe and keep their data out from the wrong hands. These pointers help users identify terms and characters that could indicate in case a redirect is happening from the trusted domain.