Phishing emails aimed at users of Google Workspace and Microsoft 365 have been sent as a result of open-redirect vulnerabilities affecting the American Express and Snapchat domains.
The term "open redirects" refers to a software vulnerability that makes it simpler for hackers to point users toward harmful resources they control.
Vulnerabilities :
Open redirect occurs when a website doesn't validate user input, allowing hackers to modify the URLs of domains with stellar reviews to route consumers to malicious sites. Because the initial domain name in the altered link is a well-known one, like American Express or Snapchat, victims will believe it.
The link may seem secure to an untrained eye because the first domain name in the modified link is actually the domain name of the original site. According to email security firm INKY, the trusted domain, such as American Express or Snapchat, serves as a temporary landing page before redirecting the user to a malicious website.
DocuSign, FedEx, and Microsoft were used as baits in phishing emails distributed to the Snapchat group, which led to sites that harvest user credentials. Researchers from Inky claim that 6,812 phishing emails sent from Google Workspace and Microsoft 365 hacked over the course of two and a half months used the Snapchat open redirect.
On August 4, 2021, professionals informed Snapchat of a vulnerability through the Open Bug Bounty site, but nothing has been done to fix it.
The matter was made worse by the discovery of the American Express open-redirect vulnerability in more than 2,000 phishing emails in only two days in July. The vulnerability has since been patched, as per the report, and any user who opens the link now is led to an error page on the company's legitimate website.
Prevention cautions
Roger Kay of INKY provided easy measures for preventing open redirect attacks:
- Domain owners can undertake a few easy actions if they want to further reduce open redirect attacks. First, don't use redirection at all in your site architecture. Domain owners can, however, build an allowlist of permitted safe links to reduce open-redirect misuse if it's required for business reasons.
- Additionally, domain owners have the option to display caution about external links before forwarding viewers to external websites.
- Users should be on the lookout for URLs that include things like "url=," "redirect=," "external-link," or "proxy" as they explore websites online. These strings can suggest that a reputable domain might reroute traffic to another website.
- Additionally, recipients of emails with links should look for repeated instances of "http" in the URL, another possible sign of redirection.
