Researchers have discovered a well-known open redirect flaw is being used to phish people’s credentials & personally identifiable information (PII) using American Express & Snapchat domains. Threat actors impersonated Microsoft and FedEx (among other brands) in two campaigns, which researchers from INKY observed from mid-May through late July, they said in a blog post published online. Attackers took advantage of redirect vulnerabilities affecting American Express and Snapchat domains, the former of which eventually was patched while the latter still is not, researchers said.
What is the open redirect flaw?
Open redirect is a security vulnerability that occurs when a website fails to validate user input, which allows bad actors to manipulate the URLs of domains from legitimate entities with good reputations to redirect victims to malicious sites. The vulnerability is well-known and tracked as CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’), “Since the first domain name in the manipulated link is in fact the original site’s, the link may appear safe to the casual observer,” INKY’s Roger Kay explained in the post.
An example of the malicious redirect domain is: http[://]safe[.]com/redirect?//malicious[.]com. The trusted domain, then—in this case, American Express or Snapchat—is used as a temporary landing page before the victim of the campaign is redirected to a malicious site. During the two-and-a-half-month period over which the campaigns were observed, researchers detected the snapchat[.]com open redirect vulnerability in 6,812 phishing emails originating from various hijacked accounts, they said. Meanwhile, over just two days in late July, they observed the americanexpress[.]com open redirect vulnerability in 2,029 phishing emails that originated from newly created domains. Both campaigns started with phishing emails using typical social-engineering tactics to try to trick users into clicking on malicious links or attachments, researchers said. The two campaigns also both used exploits in which attackers inserted PII in the seemingly legitimate URL so that the malicious landing pages could be customized on the fly for the individual victims, they said.
Wondering how you can mitigate this flaw?
Beyond patching open-redirect flaws on their domains, website owners typically don’t give these vulnerabilities the attention they deserve, likely “because they don’t allow attackers to harm or steal data from the site,” Kay noted. “From the website operator’s perspective, the only damage that potentially occurs is harm to the site’s reputation,” he wrote. If domain owners care to mitigate attacks using open redirect further, they can take a few simple steps, Kay noted.
One is pretty obvious: Avoid the implementation of redirection in the site architecture altogether, he said. However, if it’s necessary for commercial reasons, domain owners can implement an allow list of approved safe links to mitigate open-redirect abuse. Domain owners can also present users with an external redirection disclaimer that requires user clicks before redirecting to external sites, Kay added.
In addition, with the ThreatAdvice Breach Prevention Platform, you can rest easy. We provide your organization with one overarching solution to oversee your data security needs. That’s cybersecurity architecture, advanced protection, and comprehensive oversight in one affordable package.