Attackers abused open redirects on the websites of Snapchat and American Express as part of a phishing campaign targeting Microsoft 365 users.
The term Open URL redirection, open redirects, refers to a security issue that makes it easier for attackers to direct users to malicious resources under the control of the attackers.
Open redirect occurs when a website fails to validate user input, allowing attackers to manipulate the URLs of high reputation domains to redirect victims to malicious sites. Victims will trust the link because the first domain name in the manipulated link is a trusted domain like American Express and Snapchat.
“The trusted domain (e.g., American Express, Snapchat) acts as a temporary landing page before the surfer is redirected to a malicious site.” reads a post published by Inky.
“The following example shows an open redirect link. A surfer sees the link going to a safe site (safe.com) but may not realize this domain will redirect them to a malicious site (malicious.com), which may harvest credentials or distribute malware.
During the two months, INKY researchers observed phishing attacks leveraging snapchat[.]com open redirect. The attackers sent 6,812 phishing emails originating from various hijacked accounts. Below is the Snapchat link manipulated to redirect to malicious site:
https://click.snapchat[.]com/aVHG?=http://29781.google.com&af_web_dp=http://qx.oyhob.acrssd[.]org. #.aHR0cHME6Ly9zdG9yYWdlYXBpLmZsZWVrLmNvLzI0MjY4ZTMyLT E2MEmQtNDUxYi1hNTc4LWZhNzg0OTdiZjM4NC1idWWNrZXQvb2Z maWNlMzY1Lmh0bWwjYWNvb3BlckBjcHRsaGVhbHRoLmNvbQ==
The phishing messages exploiting the Snapchat open redirect impersonated DocuSign, FedEx, and Microsoft and led to landing sites designed to harvest Microsoft credentials.
The experts reported the Snapchat vulnerability to the company through the Open Bug Bounty platform on August 4, 2021, but the issue is yet to be addressed.
Unlike Snapchat, American Express quickly fixed the issue being exploited in late July.
“When examining links, surfers should keep an eye out for URLs that include, for example, “url=”, “redirect=”, “external-link”, or “proxy”. These strings might indicate that a trusted domain could redirect to another site.” concludes the report. “Recipients of emails with links should also examine them for multiple occurrences of “http” in the URL, another potential indication of redirection. Domain owners can prevent this abuse by avoiding the implementation of redirection in the site architecture.”
If the redirection is necessary for commercial reasons, domain owners should present users with an external redirection disclaimer that requires user clicks before redirecting to external sites.
Follow me on Twitter: @securityaffairs and Facebook
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, open redirects)