"Open Redirect Flaws in American Express and Snapchat Exploited in Phishing Attacks"
Security researchers at Inky have discovered that open redirect vulnerabilities affecting American Express and Snapchat websites were exploited earlier this year as part of phishing campaigns targeting Microsoft 365 users. The researchers noted that open redirect flaws exist because the impacted websites do not validate user input, which allows threat actors to manipulate URLs to redirect users to malicious sites. The researchers stated that because the manipulated link contains a legitimate domain name, the user might consider the link safe. However, the trusted domain is only used as a landing page. From mid-May to late July, the researchers observed roughly 7,000 phishing emails that originated from various hijacked accounts and which attempted to exploit the open redirect in snapchat[.]com. The researchers stated that over the course of two days, at the end of July, roughly 2,000 phishing emails attempted to exploit the americanexpress[.]com open redirect vulnerability. The researchers noted that in both the Snapchat and the American Express exploits, the adversaries inserted personally identifiable information (PII) into the URL so that the malicious landing pages could be customized on the fly for the individual victims. In both cases, the attackers encoded the insertions to make them look as random characters and prevent victims from reverse engineering the PII strings. The researchers stated that the phishing emails in the Snapchat campaign impersonated DocuSign, FedEx, and Microsoft, but all were designed to redirect victims to websites meant to harvest the credentials of Microsoft 365 users. The open redirect vulnerability was reported to Snapchat on August 4, 2021, but has remained unpatched. As part of the American Express campaign, newly created domains were used to send phishing emails that redirected victims to Microsoft credential harvesting sites. The researchers noted that American Express patched the vulnerability fast and the phishing links no longer work.