Maryland-based security firm Inky Security tracked attack activity related to the vulnerability from mid-May through mid-July. The phishing attack relies on a known open redirect vulnerability (CWE-601) and popular brand recognition to deceive and harvest credentials from unsuspecting Google Workspace and Microsoft 365 users. The attacks targeted unsecured sites from Snapchat and American Express. Snapchat-based attacks resulted in more than 6,800 attacks over a two-and-a-half-month period. The American Express-based attacks were much more effective, affecting over 2,000 users in just two days. The Snapchat-based emails drove users to fraudulent DocuSign, FedEx, and Microsoft sites to harvest user credentials. Snapchat’s open redirect vulnerability was initially identified by openbugbounty more than a year ago. Unfortunately, the exploit still appears to be unaddressed.

American Express appears to have remediated the vulnerability, which redirected users to an O365 login page similar to the one that the Snapchat-based attacks used.

This specific phishing attack uses three primary techniques: brand impersonation, credential harvesting, and hijacked accounts. Brand recognition relies on recognizable logos and trademarks to create a sense of trust with the potential victim leading to the user’s credentials being entered into and harvested from the fraudulent site. Once harvested, hackers can sell the stolen information to other criminals for profit or use the information to access and obtain the victim’s personal and financial information. Open redirect vulnerabilities don’t tend to get the same level of care and attention as other identified exploits. Additionally, most risk exposure is on the user rather than the site owner. The blog post provides additional background and guidance to help users stay safe and keep their data out of the wrong hands. These tips help users identify key terms and characters that may indicate if a redirect is occurring from a trusted domain.