An email-focused security firm detailed a phishing attack on unsecured American Express and Snapchat sites in a blog post.
The discovered exploit makes use of a well-known open redirect vulnerability, which allows threat actors to specify a redirect URL, directing traffic to fraudulent sites designed to steal user information.
From mid-May to mid-July, Maryland-based security firm INKY Security tracked attack activity related to the vulnerability.
To deceive and harvest credentials from unsuspecting Google Workspace and Microsoft 365 users, the phishing attack leverages a known open redirect vulnerability (CWE-601) and popular brand recognition.
The attacks targeted unsecured Snapchat and American Express websites. Over a two-and-a-half-month period, Snapchat-based attacks resulted in over 6,800 attacks. The attacks on American Express were far more effective, affecting over 2,000 users in just two days.
The Snapchat-based emails directed users to bogus DocuSign, FedEx, and Microsoft websites in order to steal user credentials.
The open redirect vulnerability in Snapchat was discovered more than a year ago by openbugbounty. Unfortunately, the exploit appears to have gone unnoticed.
The vulnerability appears to have been fixed by American Express, which redirected users to an O365 login page similar to the one used in the Snapchat-based attacks.
This phishing attack employs three primary techniques: brand impersonation, credential harvesting, and account hijacking.
Brand recognition is based on recognizable logos and trademarks to instill trust in the potential victim, which leads to the user’s credentials being entered into and harvested from the fraudulent site.
Once harvested, hackers can profitably sell the stolen information to other criminals or use it to gain access to and obtain the victim’s personal and financial information. Open redirect flaws do not receive the same level of care and attention as other identified exploits. Furthermore, the user bears the majority of the risk rather than the site owner.
To read our blog on “You may now use Snapchat on the web,” click here
