Posted on August 8, 2022 at 6:24 PM
A series of phishing attacks have been reported abusing open redirects on websites of American Express and Snapchat. The threat actors used phishing attacks to steal Microsoft 365 credentials.
Open redirects are web vulnerabilities that give threat actors access to domains of genuine websites and organizations as a temporary landing page for their phishing attack. These are usually deployed by threat actors to redirect targets to malicious sites.
Once accessed, they can be tricked into handing over sensitive details or infected with malware. The threat actors generally have the motive of stealing personal info, financial info, and credentials from the victim.
The Snapchat Open Redirect Was Abused To Target Thousands Of Victims
Email security firm Inky, which discovered the attacks, stated that a casual observer may believe that the link is safe since the first domain name in the obstructed link belongs to the main site.
The original domain names, such as those belonging to Snapchat and American Express, are used as temporary landing pages before the user is redirected to the fake site.
The Inky researchers stated that the Snapchat open redirect was abused in more than 6,500 phishing emails from Microsoft 365 and Google Workspace over two and a half months.
The emails were designed to impersonate FedEx, DocuSign, and Microsoft, which sent the recipients to landing pages meant to steal Microsoft credentials.
The Bug Has Not Been Patched On Snapchat
The report also revealed that the Snatchap bug has been reported to the company via the Open Bug Bounty program over a year ago. However, the said vulnerability is yet to be patched.
This specific attack uses three main techniques: credential harvesting, brand impersonation, and hijacked accounts. The attackers use brand impersonation to make the users believe they are on a genuine website page. They create logos or copy the logos of the original site, which can deceive an observer who is not careful enough.
After the user enters the information requested by the threat actor, the credential harvesting software kicks in. Once the details are harvested, the threat actors can take the data to the dark net and sell it to other cybercriminals for profit. They can also decide to use the data to gather other sensitive information from the user, such as their personal and financial information.
But the open redirect bug for American Express was immediately patched after it was exploited for several days in July last year. There have been new attempts to exploit the vulnerability, but they are all landing on the AMEX error page.
Before the vulnerability was patched, it was used in over 2,000 phishing emails that used Microsoft Office 365 to lure victims. The attackers used recently registered domains which were designed to direct the targets to Microsoft credential stealing sites.
The report also revealed that the threat actors planted personally identifiable information (PII)into the URL in both the Amex and Snapchat exploits. These enabled the hackers to customize the malicious landing pages to target specific victims. It gave the threat actors a little bit of focus on their targets.
The researchers noted that in both attacks the hackers converted the insertion to its Base 64 to make them resemble a bunch of random characters.
The Vulnerability And Exploit Affect Users Directly
The Inky researchers also advised how users can defend against the attack. Inky said email recipients should check for several occurrences of “HTTP” in URLs or “proxy” strings attached to emails, which shows an indication of redirection.
Additionally, website owners have been advised to implement external redirection disclaimers which will make it mandatory for users to click on a link before they are sent to an external site. This will put the security of the users; systems on their care since the malicious webpage won’t be shown unless the user takes an action.
Unlike other types of vulnerabilities, open redirect bugs are not given enough attention. Also, most of the exposures are usually not on the part of the site owners but the users. The blog post has provided more details on additional guidance that will enable users to stay safe and prevent their data from getting into the wrong hands.
It contains additional information and specific measures they need to take when dealing with this type of attack as well as other forms of attacks. The tips enable the user to quickly discover important characters and terms that may show that a redirect has occurred on a trusted domain.