Attackers have been exploiting a well-known open redirect vulnerability on American Express and Snapchat sites to phish for victim’s personal data.
According to INKY researchers, the hackers use phishing messages from compromised accounts or newly created domains to redirect victims to malicious sites.
The attackers set out out to impersonate well known brands to launch attacks using Google Workspace and Microsoft 365 platforms to target its user base.
From mid-May through late July, INKY discovered many phishing emails that attempted to exploit open redirect vulnerabilities that affected American Express (2,029 emails) and Snapchat (6,812 emails) domains.
“Open redirect, a security vulnerability that occurs when a website fails to validate user input, allows bad actors to manipulate the URLs of high reputation domains to redirect victims to malicious sites,” Roger Kay of INKY wrote in a blog post.
“Since the first domain name in the manipulated link is in fact the original site’s, the link may appear safe to the casual observer. The trusted domain (e.g., American Express, Snapchat) acts as a temporary landing page before the surfer is redirected to a malicious site.”
Moreover, the bad actors used phishing emails to impersonate DocuSign, FedEx, and Microsoft via Snapchat open redirects to Microsoft credential harvesting sites.
INKY also noted at the time of the original post that American Express had patched the redirect vulnerability, but Snapchat had not yet patched the flaw.
Users can look to guard against potential phishing emails by closely looking at URLs that may give clues to a redirect exploit (such as strings that include “url=”, “redirect=”, “external-link”, or “proxy”).
Also be on the lookout for multiple instances of “http” in the URL for common indication of redirection.