惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Secure Thoughts
Security Latest
Security Latest
Simon Willison's Weblog
Simon Willison's Weblog
O
OpenAI News
GbyAI
GbyAI
L
LINUX DO - 最新话题
A
Arctic Wolf
T
Tor Project blog
G
GRAHAM CLULEY
I
InfoQ
博客园_首页
IT之家
IT之家
The Register - Security
The Register - Security
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
P
Proofpoint News Feed
The GitHub Blog
The GitHub Blog
Blog — PlanetScale
Blog — PlanetScale
N
Netflix TechBlog - Medium
K
Kaspersky official blog
博客园 - 三生石上(FineUI控件)
S
SegmentFault 最新的问题
U
Unit 42
PCI Perspectives
PCI Perspectives
量子位
P
Palo Alto Networks Blog
S
Securelist
T
Troy Hunt's Blog
博客园 - 【当耐特】
Recorded Future
Recorded Future
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
S
Security Affairs
Engineering at Meta
Engineering at Meta
T
The Blog of Author Tim Ferriss
博客园 - 聂微东
罗磊的独立博客
N
News and Events Feed by Topic
人人都是产品经理
人人都是产品经理
B
Blog RSS Feed
NISL@THU
NISL@THU
C
Cisco Blogs
T
Threatpost
有赞技术团队
有赞技术团队
Forbes - Security
Forbes - Security
Hugging Face - Blog
Hugging Face - Blog
Last Week in AI
Last Week in AI
T
The Exploit Database - CXSecurity.com
Cloudbric
Cloudbric
Cyberwarzone
Cyberwarzone
Google DeepMind News
Google DeepMind News
C
Cyber Attacks, Cyber Crime and Cyber Security

Vulnerabilities – Threatpost

Ransomware Attacks are on the Rise Cybercriminals Are Selling Access to Chinese Surveillance Cameras Firewall Bug Under Active Attack Triggers CISA Warning iPhone Users Urged to Update to Patch 2 Zero-Days Google Patches Chrome’s Fifth Zero-Day of the Year Xiaomi Phone Bug Allowed Payment Forgery Black Hat and DEF CON Roundup Feds: Zeppelin Ransomware Resurfaces with New Compromise, Encryption Tactics Microsoft Patches ‘Dogwalk’ Zero-Day and 17 Critical Flaws
Open Redirect Flaw Snags Amex, Snapchat User Data
Elizabeth Montalbano · 2022-08-05 · via Vulnerabilities – Threatpost

Separate phishing campaigns targeting thousands of victims impersonate FedEx and Microsoft, among others, to trick victims.

Attackers are exploiting a well-known open redirect flaw to phish people’s credentials and personally identifiable information (PII) using American Express and Snapchat domains, researchers have found.

Threat actors impersonated Microsoft and FedEx among other brands in two different campaigns, which researchers from INKY observed from mid-May through late July, they said in a blog post published online. Attackers took advantage of redirect vulnerabilities affecting American Express and Snapchat domains, the former of which eventually was patched while the latter still is not, researchers said.Infosec Insiders Newsletter Open redirect is a security vulnerability that occurs when a website fails to validate user input, which allows bad actors to manipulate the URLs of domains from legitimate entities with good reputations to redirect victims to malicious sites, researchers said. The vulnerability is well known and tracked as CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’).

“Since the first domain name in the manipulated link is in fact the  original site’s, the link may appear safe to the casual observer,” INKY’s Roger Kay explained in the post.

An example of the malicious redirect domain is: http[://]safe[.]com/redirect?[url=http:]//malicious[.]com. The trusted domain, then—in this case, American Express or Snapchat—is used as a temporary landing page before the victim of the campaign is redirected to a malicious site.

During the two-and-a-half-month period over which the campaigns were observed, researchers detected the snapchat[.]com open redirect vulnerability in 6,812 phishing emails originating from various hijacked accounts, they said. Meanwhile, over just two days in late July, they observed the americanexpress[.]com open redirect vulnerability in 2,029 phishing emails that originated from newly created domains.

Attack Similarities

Both campaigns started with phishing emails using typical social-engineering tactics to try to trick users into clicking on malicious links or attachments, researchers said.

The two campaigns also both used exploits in which attackers inserted PII in the seemingly legitimate URL so that the malicious landing pages could be customized on the fly for the individual victims, they said.

“This insertion was disguised by converting it to Base 64 to make it look like a bunch of random characters,” Kay wrote. “We inserted our own random characters into these strings so that the casual observer would not be able to reverse engineer the PII strings.”

When being redirected to another site, victims would think the link was heading somewhere safe; however unbeknownst to them, the domains to which they were being redirected were malicious sites to harvest their credentials or expose them to malware, researchers said.

Specific Campaign Characteristics

Though there were similarities between the two campaigns, there also were tactics specific to each, researchers said.

The phishing emails in the Snapchat open redirect group impersonated DocuSign, FedEx and Microsoft, and all had snapchat open redirects that led to Microsoft credential harvesting sites, researchers said.

The open redirect vulnerability on the Snapchat domain was unpatched at the time of the campaign and remains so, though Open Bug Bounty reported it to the company on Aug. 4, 2021, Kay noted.

The open redirect bug on the American Express domain also appeared unpatched at first, he said. When the phishing campaign using it first started, the open redirect link went to Microsoft credential harvesting sites, researchers observed. However, soon after that, American Express patched the vulnerability, Kay said.

“Now, users who click the link end up on a real American Express error page,” he wrote.

Simple Mitigation and Prevention

Beyond patching open-redirect flaws on their domains, website owners typically don’t give these vulnerabilities the attention they deserve, likely “because they don’t allow attackers to harm or steal data from the site,” Kay noted.

“From the website operator’s perspective, the only damage that potentially occurs is harm to the site’s reputation,” he wrote.

If domain owners care to mitigate attacks using open redirect further, they can take a few simple steps, Kay noted. One is pretty obvious: Avoid the implementation of redirection in the site architecture altogether, he said. However, if it’s necessary for commercial reasons, domain owners can implement an allowlist of approved safe links to mitigate open-redirect abuse.

Domain owners can also present users with an external redirection disclaimer that requires user clicks before redirecting to external sites, Kay added.

As it’s the victims of these campaigns that are the real losers—with the potential to be relieved of credentials, data, and possibly even money—they also should take some steps to protect themselves, he said.

When examining links as they browse sites online, people should keep an eye out for URLs that include, for example, “url=,” “redirect=,” “external-link,” or “proxy.” These strings might indicate that a trusted domain could redirect to another site, Kay noted.

Recipients of emails with links also should check them for multiple occurrences of “http” in the URL, another potential indication of redirection, he said.