Open redirects, a classic weakness found in many of the world’s biggest web pages, are reportedly being used to steal login credentials (opens in new tab) for Microsoft 365 accounts.
According to experts from security firm Inky, the method was used to send more than 6,800 phishing emails from Google Workspace, posing as Snapchat, in the last two and a half months. As for American Express, the team identified more than 2,000 phishing emails.
Identity theft (opens in new tab) is one of the more popular cybercriminal activities, as the data can be successfully leveraged for other forms of fraud.
AmEx moves fast, Snapchat lags
Open redirects allow threat actors to use other people’s domains and websites as temporary landing pages, before sending the victims to the phishing page. That way, when the attacker sends a phishing email, the link in the email’s body might look legitimate, further encouraging people to click.
“Since the first domain name in the manipulated link is in fact the original site’s, the link may appear safe to the casual observer,” Inky says. “The trusted domain (e.g., American Express, Snapchat) acts as a temporary landing page before the surfer is redirected to a malicious site.”
After learning about the flaw, American Express took only a few days to patch things up, while Snapchat, although notified by the researchers more than a year ago, is yet to fix the issue.
“In both the Snapchat and the American Express exploits, the black hats inserted personally identifiable information (PII) into the URL so that the malicious landing pages could be customized on the fly for the individual victims,” Inky added. “And in both, this insertion was disguised by converting it to Base 64 to make it look like a bunch of random characters.”
While the links may look legitimate, there is a way to spot the fraud, Inky explains. When a user receives such an email, they should inspect the hyperlink for things such as “url=,” “redirect=,” “external-link,” or “proxy” strings or multiple occurrences of “HTTP”, as these will likely show that it’s a redirect.
Website owners should also set up redirection disclaimers, forcing users to click before being redirected to external sites.
Via: BleepingComputer (opens in new tab)