Attackers have been exploiting open redirects on Snapchat and Amex websites as part of a phishing campaign. However, this isn’t the first time. Open redirect is when a site lets any random user specify a redirect URL at will and allows traffic transfer.

Latest campaign

  • From May to July, threat actors were found sending phishing emails that abused open redirects on websites of Amex and Snapchat.
  • The domains act as a temporary landing site from where the victim is redirected to the malicious site.
  • The attackers inserted PII into the URL to ensure that the malicious sites could be personalized for individual targets. 
  • INKY researchers observed the abuse of snapchat[.]com open redirect bug in 6,812 phishing emails and the americanexpress[.]com bug in 2,029 instances.
  • Phishing emails related to Snapchat impersonated Microsoft, DocuSign, and FedEx. All the open redirects led to Microsoft credential harvesting pages. 
  • During the initial phases of the campaign, the Amex link went to Microsoft credential harvesting pages but Amex has patched the flaw. 

Further research

  • Resecurity identified a phishing kit used by threat actors to conduct these attacks. 
  • Named LogoKit, the phishing kit was previously used in attacks against O365, GoDaddy, Bank of America, and Virgin Fly customers, along with other financial institutions and international online services. 
  • A campaign using LogoKit was spotted in July, which targeted O365 users from the U.S. and Latin America.

Why this matters

Website owners usually don’t pay much heed to open redirects as they don’t allow adversaries to steal data from the site. Nevertheless, the victims have the most to lose in the form of data, credentials, and most likely, money. Victims often assume that they are being redirected to a safe site, without any knowledge of being redirected to malicious credential harvesting sites.

The bottom line

Users are urged to examine links for URLs containing “url=”, “redirect=”, “external-link”, or “proxy”. This might indicate that a trusted domain could redirect to another site, which can be malicious. Domain owners can stop this exploitation by not implementing redirection in the site architecture.
Cyware Publisher