Attackers abused open redirects on the websites of Snapchat and American Express as part of a phishing campaign targeting Microsoft 365 users.
The term Open URL redirection, open redirects, refers to a security issue that makes it easier for attackers to direct users to malicious resources under the control of the attackers.
Open redirect occurs when a website fails to validate user input, allowing attackers to manipulate the URLs of high reputation domains to redirect victims to malicious sites. Victims will trust the link because the first domain name in the manipulated link is a trusted domain like American Express and Snapchat.
“The trusted domain (e.g., American Express, Snapchat) acts as a temporary landing page before the surfer is redirected to a malicious site.” reads a post published by Inky.
“The following example shows an open redirect link. A surfer sees the link going to a safe site (safe.com) but may not realize this domain will redirect them to a malicious site (malicious.com), which may harvest credentials or distribute malware.
http://safe.com/redirect?url=http://malicious.com “
During the two months, INKY researchers observed phishing attacks leveraging snapchat[.]com open redirect. The attackers sent 6,812 phishing emails originating from various hijacked accounts. Below is the Snapchat link manipulated to redirect to malicious site:
https://click.snapchat[.]com/aVHG?=http://29781.google.com&af_web_dp=http://qx.oyhob.acrssd[.]org. #.aHR0cHME6Ly9zdG9yYWdlYXBpLmZsZWVrLmNvLzI0MjY4ZTMyLT E2MEmQtNDUxYi1hNTc4LWZhNzg0OTdiZjM4NC1idWWNrZXQvb2Z maWNlMzY1Lmh0bWwjYWNvb3BlckBjcHRsaGVhbHRoLmNvbQ==
The phishing messages exploiting the Snapchat open redirect impersonated DocuSign, FedEx, and Microsoft and led to landing sites designed to harvest Microsoft credentials.
The experts reported the Snapchat vulnerability to the company through the Open Bug Bounty platform on August 4, 2021, but the issue is yet to be addressed.
Unlike Snapchat, American Express quickly fixed the issue being exploited in late July.
“When examining links, surfers should keep an eye out for URLs that include, for example, “url=”, “redirect=”, “external-link”, or “proxy”. These strings might indicate that a trusted domain could redirect to another site.” concludes the report. “Recipients of emails with links should also examine them for multiple occurrences of “http” in the URL, another potential indication of redirection. Domain owners can prevent this abuse by avoiding the implementation of redirection in the site architecture.”
If the redirection is necessary for commercial reasons, domain owners should present users with an external redirection disclaimer that requires user clicks before redirecting to external sites.
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, open redirects)
[adrotate banner=”5″]
[adrotate banner=”13″]
Healthcare service provider Kaiser Permanente disclosed a security breach that may impact 13.4 million individuals…
Over 1,400 CrushFTP internet-facing servers are vulnerable to attacks exploiting recently disclosed CVE-2024-4040 vulnerability. Over…
A ransomware attack on a Swedish logistics company Skanlog severely impacted the country's liquor supply. …
CISA adds Cisco ASA and FTD and CrushFTP VFS vulnerabilities to its Known Exploited Vulnerabilities…
U.S. CISA added the Windows Print Spooler flaw CVE-2022-38028 to its Known Exploited Vulnerabilities catalog.…
The U.S. Department of Justice (DoJ) announced the arrest of two co-founders of a cryptocurrency mixer…
This website uses cookies.