Full Report
Separate phishing campaigns targeting thousands of victims impersonate FedEx and Microsoft, among others, to trick victims.
Analysis Summary
# Incident Report: Widespread Phishing Exploiting Open Redirect Vulnerabilities
## Executive Summary
Researchers observed two large-scale phishing campaigns between mid-May and late July that leveraged well-known open redirect vulnerabilities on legitimate, trusted domains (specifically Snapchat and American Express) to trick thousands of victims. Attackers impersonated major brands like FedEx and Microsoft to redirect victims to malicious credential harvesting pages, resulting in potential PII and credential theft. The incident highlights the risk posed by open redirect flaws, which were partially mitigated by patching one vendor domain while the other remained vulnerable.
## Incident Details
- **Discovery Date:** Mid-May through late July (Observation period)
- **Incident Date:** Mid-May through late July
- **Affected Organization:** Various targeted organizations including victims using Snapchat and American Express domains for redirects.
- **Sector:** Technology, Financial Services, Logistics (via impersonation)
- **Geography:** Not specified, campaigns observed globally via email.
## Timeline of Events
### Initial Access
- **Date/Time:** Mid-May onwards.
- **Vector:** Phishing emails distributed via various hijacked accounts.
- **Details:** Attackers sent phishing emails impersonating FedEx, Microsoft, and DocuSign. These emails contained malicious links that exploited open redirect flaws (CWE-601) present on specific `snapchat[.]com` and `americanexpress[.]com` domains.
### Lateral Movement
- **Details:** Not explicitly described as network lateral movement, but the attack involved multi-stage redirection: **Trusted Domain $\rightarrow$ Malicious Landing Page.** Custom PII was embedded in the URL, encoded in Base64, to customize the subsequent malicious landing page for the individual victim.
### Data Exfiltration/Impact
- **Details:** The final malicious sites were designed to harvest user credentials and Personally Identifiable Information (PII). The Snapchat campaign alone generated 6,812 phishing emails using this vector.
### Detection & Response
- **How it was discovered:** Researchers from INKY observed and tracked the campaigns from mid-May through late July.
- **Response actions taken:** The American Express open redirect vulnerability was patched by the vendor shortly after the campaign using it began. The Snapchat open redirect vulnerability remained unpatched; it was reported on August 4, 2021.
## Attack Methodology
- **Initial Access:** Phishing emails using social engineering, exploiting open redirect vulnerabilities (CWE-601).
- **Persistence:** Not applicable to this specific vulnerability abuse method, as access relied on the victim clicking the redirected link.
- **Privilege Escalation:** Not applicable.
- **Defense Evasion:** Using well-reputed domains (e.g., `snapchat[.]com`, `americanexpress[.]com`) as the initial link prevented immediate suspicion, as the first part of the URL appeared safe. Base64 encoding was used to obscure PII embedded in the deep link parameter.
- **Credential Access:** Direct credential harvesting from the final malicious landing pages.
- **Discovery:** Attackers likely performed reconnaissance to identify domains susceptible to open redirect flaws.
- **Lateral Movement:** Multi-step redirection chain.
- **Collection:** PII gathered via custom landing pages.
- **Exfiltration:** Not detailed, assumed credential/PII transmission from the final malicious site to the attacker's infrastructure.
- **Impact:** Credential theft and PII exposure for thousands of victims.
## Impact Assessment
- **Financial:** Not quantified, but loss of credentials and PII implies potential financial harm to victims.
- **Data Breach:** Credentials and Personally Identifiable Information (PII). **Scope:** 6,812 emails detected using the Snapchat redirect vulnerability alone.
- **Operational:** No direct operational impact on the exploited vendors (Snapchat, Amex), but the attack relied on their domain reputation.
- **Reputational:** Potential reputational harm to the impersonated brands (FedEx, Microsoft) and the exploited vendors (Snapchat, Amex).
## Indicators of Compromise
- **Network indicators:** URLs containing patterns like `url=`, `redirect=`, `external-link=`, or `proxy=` following a trusted domain. URLs showing multiple instances of `http`.
- **File indicators:** Not specified (focus was on link redirection).
- **Behavioral indicators:** Users being unexpectedly redirected from a trusted site to a completely different, unknown domain after clicking a link.
## Response Actions
- **Containment measures:** The American Express vulnerability was contained via vendor patching.
- **Eradication steps:** For the Snapchat infrastructure, eradication relies on the vendor patching the flaw or blocking compromised accounts used for email distribution.
- **Recovery actions:** Not detailed, recovery focuses on victims resetting credentials and identity monitoring.
## Lessons Learned
- **Key Takeaways:** Open redirect vulnerabilities (CWE-601), despite often not causing direct data theft from the vulnerable site itself, pose a major risk by enabling highly convincing, multi-stage phishing attacks against users.
- **What could have been done better:** Domain operators must treat redirect implementation security with high priority, as reputation is easily weaponized.
## Recommendations
- **Prevention measures for similar incidents:**
1. **Patching:** Immediately implement patches for all known open redirect flaws on owned domains (e.g., input validation).
2. **Architecture Review:** Avoid implementing unnecessary redirection functionality entirely.
3. **Mitigation for Required Redirection:** If redirection is necessary, implement an allowlist of approved safe external links.
4. **User Warning:** Display an external redirection disclaimer requiring explicit user affirmation before redirecting to a different domain.
5. **User Awareness:** Educate users to inspect URLs for redirection indicators like `url=` parameters or multiple `http` instances when clicking links originating from a trusted source.