Why is it important: An email security firm published a blog post detailing a phishing attack targeting unsecured American Express and Snapchat sites. The discovered exploit uses a known open redirect vulnerability that allows attackers to specify a redirect URL, directing traffic to fraudulent sites designed to steal user information.

- Advertisement -

Maryland security company INKY Security tracked activity of attacks related to the vulnerability from mid-May to mid-July. The phishing attack is based on a known open redirect vulnerability (KBE-601) and brand exposure for defrauding and harvesting credentials from unsuspecting Google Workspace and Microsoft 365 users.

- Advertisement -

The attacks targeted the insecure Snapchat and American Express sites. Snapchat-based attacks resulted in over 6,800 attacks in two and a half months. Attacks using American Express were much more effective, affecting more than 2,000 users in just two days.

Snapchat-based emails directed users to DocuSign, FedEx, and Microsoft fraudulent sites to collect user credentials. Open redirect vulnerability in Snapchat was originally identified from openbugbounty over a year ago. Unfortunately, the exploit has not yet been fixed.

- Advertisement -

American Express appears to have patched a vulnerability that redirected users to an O365 login page similar to the one used in Snapchat-based attacks.

This particular phishing attack uses three main methods: brand impersonation, credential harvesting, and account hijacking. Brand awareness relies on recognizable logos and trademarks that create a sense of trust in the potential victim, leading to the input and collection of user credentials from a fraudulent site. Once collected, hackers can sell the stolen information to other criminals for profit, or use the information to access and obtain the victim’s personal and financial information.

Open redirect vulnerabilities generally do not receive the same level of care and attention as other identified exploits. In addition, the user is most at risk, not the site owner. The blog post contains additional information and guidance to help users stay safe and keep their data out of the wrong hands. These tips will help users identify key terms and symbols that can indicate whether a redirect is coming from a trusted domain.

Image credit: INCI Security