Malicious actors took advantage of open redirect vulnerabilities affecting American Express and Snapchat domains to send phishing emails targeting Google Workspace and Microsoft 365 users.
Research published by INKY reveals that in both cases the phishers included personally identifiable information (PII) in the URL. This allows actors to quickly customize malicious landing pages for individual victims and disguise PII by converting it to Base 64, turning the information into a sequence of random characters.
The Snapchat group’s phishing emails used DocuSign, FedEx, and Microsoft decoys, which led to Microsoft credential harvesting sites.
INKY engineers detected over 6,800 Snapchat phishing emails containing the open redirect vulnerability over a period of two and a half months. Although it was previously reported to Snaptchat by Open Bug Bounty almost a year ago, the vulnerability has still not been fixed, according to the report.
The problem was even worse with the American Express Open Redirect vulnerability, which was discovered in more than 2,000 phishing emails in just two days in July.
However, the report notes that American Express has since patched the vulnerability and any user who clicks on the link is now redirected to an error page on the company’s actual website.
Redirect vulnerabilities arise when domains accept untrusted input that could cause the site to redirect users to another URL. By modifying the URL of these sites, for example by adding a link to another destination at the end of the original URL, an attacker can easily redirect users to the websites of their choice.
“Perhaps websites don’t give open redirect vulnerabilities the attention they deserve because they don’t allow attackers to harm or steal site data,” notes from today’s report. “From the perspective of the website operator, the only potential damage is damage to the site’s reputation. However, victims may lose credentials, data, and possibly money.”
Review links, present users with disclaimers
The report recommends that when reviewing links, Internet users watch for URLs such as “url=”, “redirect=”, “external-link” or “proxy”, strings that may indicate that a trusted domain might redirect to another site. .
Another telltale sign indicating redirection are links with multiple occurrences of “http” in the URL.
“Domain owners can prevent this abuse by avoiding the implementation of redirection in the site architecture and can also present users with an external redirect warning that requires user clicks before redirecting to external sites “, according to the report. “If the redirect is necessary for commercial reasons, having an allowed list of approved safe links in place prevents bad actors from entering malicious links.”
The scam reported by INKY is the latest in a long line of phishing scams that are shaking up the IT security landscape – earlier this week, researchers from ThreatLabz issued a warning about a large-scale phishing campaign targeting users of Microsoft Outlook email services.