Separate phishing campaigns are targeting 1000s of victims impersonating FedEx & Microsoft, among others, to fool victims.
Attackers are exploiting a well-known open redirect flaw to phish credentials & personally identifiable information (PII) using American Express & Snapchat domains, researchers have discovered.
Threat players impersonated Microsoft & FedEx among other brands in 2 different campaigns, which researchers from INKY observed from mid-May until late July, they stated in a blog post published online.
Redirect Vulnerabilities
Attackers took advantage of redirect vulnerabilities affecting American Express & Snapchat domains, the former of which eventually was patched while the latter still is not, researchers explained.
Open redirect is a type of security vulnerability that happens when a website fails to validate user input, which then allows bad players to manipulate the URLs of domains from legitimate entities (with good reputations) to redirect victims to malicious sites, researchers outlined. The vulnerability is well known & tracked as CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’).
Domain Name
“Since the first domain name in the manipulated link is in fact the original site’s, the link may appear safe to the casual observer,” INKY’s Roger Kay explained in the post.
An example of the malicious redirect domain is: http[://]safe[.]com/redirect?[url=http:]//malicious[.]com. The trusted domain, then—in this case, American Express or Snapchat—is used as a temporary landing page before the victim of the campaign is redirected to a malicious site.
Phishing E-Mails
During the 2 & a-half-month period over which the campaigns were observed, researchers detected the snapchat[.]com open redirect vulnerability in 6,812 phishing emails originating from various hijacked accounts, they revealed.
Also, over just 2 days in late July, they observed the americanexpress[.]com open redirect vulnerability in 2,029 phishing emails that originated from newly created domains.
Similarities
Both campaigns started with phishing emails using typical social-engineering tactics to try to fool users into clicking on malicious links or attachments, researchers observed.
The 2 campaigns also both used exploits in which attackers inserted PII in the seeming legitimate URL so that the malicious landing pages could be customised for the individual victims, they stated.
Base 64
“This insertion was disguised by converting it to Base 64 to make it look like a bunch of random characters,” Kay wrote. “We inserted our own random characters into these strings so that the casual observer would not be able to reverse engineer the PII strings.”
When being redirected to another site, victims would think the link was going somewhere safe; however unknown to them, the domains to which they were being redirected were malicious sites to harvest their credentials or expose them to malware, researchers surmised.
Campaign Characteristics
Though there were similarities between the 2 campaigns, there also were tactics unique to each one, researchers explained.
The phishing emails in the Snapchat open redirect group impersonated DocuSign, FedEx & Microsoft, & all had snapchat open redirects that led to Microsoft credential harvesting sites, researchers commented.
The open redirect vulnerability on the Snapchat domain was unpatched at the time of the campaign, & remains so, though Open Bug Bounty reported it to the company on Aug. 4, 2021, Kay noted.
Unpatched
The open redirect bug on the American Express domain also appeared unpatched at 1st, he suggested. When the phishing campaign using it 1st started, the open redirect link went to Microsoft credential harvesting sites, researchers observed.
However, soon afterwards, American Express patched the vulnerability, Kay outlined.
“Now, users who click the link end up on a real American Express error page,” he wrote.
Mitigation & Prevention
Beyond patching open-redirect flaws on their domains, website owners usually do not give these vulnerabilities the attention they warrant, likely “because they don’t allow attackers to harm or steal data from the site,” Kay noted.
“From the website operator’s perspective, the only damage that potentially occurs is harm to the site’s reputation,” he wrote.
If domain owners wish to mitigate attacks using open redirect further, they can take a few simple steps, Kay noted.
One is obvious: Avoid the implementation of redirection in the site architecture altogether, he outlined. However, if it is necessary for commercial reasons, domain owners can implement an ‘allowlist’ of approved safe links to mitigate open-redirect abuse.
Disclaimer
Domain owners may also present users with an external redirection disclaimer that requires user clicks before redirecting to external sites, Kay added.
As it is the victims of these campaigns that are the losers—with the potential to be relieved of credentials, data, & possibly even money—they also should take some steps to protect themselves, he noted.
URLs
When examining links as they browse sites online, people should keep an eye out for URLs that include, for example, “url=,” “redirect=,” “external-link,” or “proxy.” These strings may indicate that a trusted domain could redirect to another site, Kay noted.
Recipients of emails with links also should check them for multiple occurrences of “http” in the URL, another potential indication of redirection, he concluded.