Attackers used phishing emails to steal Microsoft 365 login information by taking advantage of open redirection on the American Express and Snapchat websites.
Open redirects are vulnerabilities in web apps that allow hackers to use the domains of trusted brands and websites as active landing pages to prevent phishing attacks. They are used in cyberattacks to redirect targets to dangerous websites where they will either be infected with malware or tricked into providing sensitive information.
Security company INKY Security, located in Maryland, monitored attack activity related to the vulnerability from May to July.
According to Inky:
The sentence may seem safe to an untrained eye since the original site’s name appears in the modified sentence where it belongs to the original place. Before the visitor is sent to a bad site, the reputable sites (American Express or Snapchat) serve as a temporary landing page.
The phishing attack uses a well-known open redirect vulnerability (CWE-601) and well-known brand awareness to trick and steal credentials from vulnerable Google Workspace and Microsoft 365 users.
Inky further says: “This vulnerability is included in Mitre’s Critical Weakness Enumeration as CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’). We requested answers from American Express and Snapchat.”
The American Express open redirect link initially redirected to Microsoft credential harvesting websites during the initial stages of this phishing attack, however American Express quickly fixed the issue. Now, when customers click the link, they are taken to an authentic American Express error page.
Exploited to get unwilling victims
In only two days in late July, INKY engineers found 2,029 phishing emails coming from newly registered domains that had the American Express and snapchat open redirect vulnerability.
Researchers from Aphotic claim that over a period of two and a half months, 6,729 phishing emails sent from Google Workspace and Microsoft 365 were hijacked using the Snapchat public profile. These emails pretended to be from FedEx, Microsoft, or DocuSign and sent their recipients to landing sites that instructed them to enter their Microsoft login information.
On August 4, 2021, the Snapchat vulnerability was reported to the group using the Open Bug Bounty, but the accessibility change has not yet been fixed. The American Express public switch was quickly fixed up after being abused for a couple of days in late-July. American Express’s warning page is currently the target of new attacks to damage it.
Before being fixed, the Amex public key was used in 2,029 phishing emails using Microsoft Office 365 baits sent from recently registered domains and intended to direct potential victims to Microsoft credential collection sites.
Inky clarified:
The atramentous hats included personally identifiable information (PII) into the URL in both the Snapchat and the American Accurate vulnerabilities, allowing the awful landing pages to be instantly personalised for the specific victims. In both instances, this entry was “bearded” by converting it to Abject 64 to make it appear like a collection of random characters.
Recommendation
Security-conscious users should look for URLs with characters like “url=”, “redirect=”, “external-link,” or “proxy” while analysing links. These strings might be used to suggest that a trustworthy domain would reroute traffic to another website.
The repeated instances of “http” in the URL, another potential sign of redirection, should also be looked for by receivers of emails with links. By not using redirection in the site architecture, domain owners may prevent this exploitation.
A disclaimer about external redirection can be displayed to visitors by domain owners, and it must be clicked before users are sent to other websites.
Help your colleagues spot these phishing emails by starting your Phishing Tackle security awareness training today with our two-week free trial.
