Open-Redirect vulnerabilities in American Express and Snapchat are being exploited to carry out phishing scams, researchers have revealed.

Scammers are exploiting open-redirect vulnerabilities in a new phishing campaign targeting Microsoft 365 and Google Workspace users. These vulnerabilities are mainly impacting American Express and Snapchat domains.

Open redirect is a security vulnerability. It occurs when a website cannot validate user input, due to which threat actors can manipulate the URLs of reputed domains and redirect victims to malicious pages.

Phishing Emails Using Open-Redirect Vulnerabilities

According to a report from INKY, automated URL redirects used by Snapchat and American Express to attract users to their websites have been hijacked to steal credentials.

Attackers are sending phishing emails and include PII (personally identifiable information) in the URL to customize the malicious landing pages quickly and disguise them PII by converting it into Base 64.

Hence, the information turns into a sequence of random characters. INKY’s report further revealed that they observed threat actors hijacking unpatched redirect vulnerabilities on Snapchat and American Express domains between May and July.

What Makes the Attack Effective?

A trusted domain such as Snapchat serves as a temporary landing page, after which the visitor is redirected to a malicious URL. The original site’s link is the first domain in the altered link, which appears safe to unsuspecting users. Since legit websites/URLs used by trusted brands are used in the scam, the attack is effective.

“For example, where “safe.com” is taken to represent an authentic domain and “malicious.com” – a credential-harvesting website, cybercriminals will insert safe.com/redirect?url=malicious.com to redirect victims to fake versions of Microsoft, FedEx, and DocuSign login sites that then siphon off their email and password details.”

INKY

In the Snapchat group, phishing emails used DocuSign, Microsoft, and FedEx lures, allowing the stealing of Microsoft credentials.

Unprotected Snapchat and Amex sites lead to credential harvesting
Image: INKY

INKY engineers identified over 6,800 Snapchat phishing emails with the open-redirect vulnerability during the past two months. Conversely, American Express’s open-redirect vulnerability was detected in over 2,000 phishing emails in just two days in July.

Reportedly, American Express patched the vulnerability, but Snapchat hasn’t patched it even after a year has passed after the company was notified about the issue by Open Bug Bounty.

Posted by Charlie