"American Express, Snapchat Open-Redirect Vulnerabilities Exploited in Phishing Scheme"
Malicious actors have been sending phishing emails to Google Workspace and Microsoft 365 users by exploiting open-redirect vulnerabilities affecting American Express and Snapchat domains. According to INKY research, the phishers in both cases included personally identifiable information (PII) in the URL, allowing the actors to quickly customize the malicious landing pages for individual victims while also concealing the PII by converting it to Base 64, which turns the information into a random sequence of characters. In the Snapchat group, phishing emails used DocuSign, FedEx, and Microsoft lures, which led to Microsoft credential harvesting sites. During a two-and-a-half-month period, INKY engineers discovered over 6,800 Snapchat phishing emails containing the open-redirect vulnerability. According to the report, despite being disclosed to Snapchat by Open Bug Bounty nearly a year ago, the vulnerability remains unpatched. The problem was exacerbated by the American Express open-redirect vulnerability, which was discovered in over 2,000 phishing emails in just two days in July. However, American Express has since patched the vulnerability, and any user who clicks the link is now redirected to an error page on the company's actual website, according to the report. When domains accept untrusted input, the site may redirect users to another URL, resulting in a redirect vulnerability. An attacker can easily redirect users to websites of their choice by modifying the URL for these sites — for example, by appending a link to another destination to the end of the original URL. This article continues to discuss the exploitation of American Express and Snapchat's open-redirect vulnerabilities in a phishing scheme.