informa
3 min read
article

American Express, Snapchat Open-Redirect Vulnerabilities Exploited in Phishing Scheme

Phishing operators are taking advantage of security bugs in the Amex and Snapchat websites (the latter is unpatched) to steer victims to phishing pages looking to harvest Google and Microsoft logins.

Malicious actors have been taking advantage of open-redirect vulnerabilities affecting American Express and Snapchat domains to send phishing emails targeting Google Workspace and Microsoft 365 users.

Research published by INKY reveals that in both cases the phishers included personally identifiable information (PII) in the URL. This allows the actors to rapidly customize the malicious landing pages for individual victims and disguised the PII by converting it to Base 64, turning the information into a sequence of random characters.

Phishing emails in the Snapchat group used DocuSign, FedEx, and Microsoft lures, which led to Microsoft credential harvesting sites.

INKY engineers detected more than 6,800 Snapchat phishing emails containing the open-redirect vulnerability during a period of two and a half months. Despite previously being reported to Snaptchat by Open Bug Bounty nearly a year ago, the vulnerability remains unpatched, according to the report.

The issue was even worse with the American Express open-redirect vulnerability, which was uncovered in more than in 2,000 phishing emails during the course of just two days in July.

However, the report notes, American Express has since patched the vulnerability, and any user who clicks the link now is redirected to an error page on the company's actual website.

Redirect vulnerabilities arise when domains accept untrusted input that could cause the site to redirect users to another URL. By modifying the URL for these sites — for instance, by adding a link to another destination to the end of the original URL — an attacker can easily redirect users to websites of their choice.

"Perhaps websites don't give open-redirect vulnerabilities the attention they deserve because they don't allow attackers to harm or steal data from the site," today's report notes. "From the website operator's perspective, the only damage that potentially occurs is harm to the site's reputation. The victims, however, may lose credentials, data, and possibly money."

Examine Links, Present Users with Disclaimers

The report recommended that when examining links, surfers should keep an eye out for URLs including "url=", "redirect=", "external-link", or "proxy", strings that may indicate a trusted domain could redirect to another site.

Another telltale sign indicating redirection are links with multiple occurrences of "http" in the URL.

"Domain owners can prevent this abuse by avoiding the implementation of redirection in the site architecture and can also present users with an external redirection disclaimer that requires user clicks before redirecting to external sites," according to the report. "If redirection is necessary for commercial reasons, then implementing an allow-list of approved safe links prevents bad actors from inputting malicious links."

The scam that INKY reported is the latest in a long line of phishing scams roiling the IT security landscape — earlier this week, researchers from ThreatLabz issued a warning over a large-scale phishing campaign aimed at Microsoft Outlook email services users.