Cybercriminals abused Amex and Snapchat to target MS 365 users

August 11, 2022
Cybercrime Brand Abuse Amex Snapchat MS 365 Phishing Social Media Finance Banking Redirects

Malicious threat actors have been abusing the open redirects of Amex and Snapchat websites as part of their phishing campaign that targets Microsoft 365 users. An open redirect is when a website lets any random users specify a redirect URL at will and enables traffic transfer.

In three months, the threat actors were discovered distributing phishing emails that abused the open redirect websites of Snapchat and Amex. The domains behave as a temporary landing page from where the target is redirected to the malicious website.

The adversaries then include PII into the URL to solidify that its operators could personalise the malicious websites for each target. A researcher observed the exploit of the americanexpress[.]com bug in slightly over 2,000 phishing emails and the snapchat[.]com flaw in nearly 7,000 instances.

The phishing emails corresponding to Snapchat spoofed FedEx, DocuSign, and Microsoft. All the open redirects led to Microsoft credential harvesting web pages. During the first stage of the attack, the American Express link went to Microsoft credential harvesting pages; however, Amex had already released a fix for the flaw.

Another researcher discovered a phishing kit abused by the hackers to complete these attacks against Amex and Snapchat.

 

The toolkit is called LogoKit, a phishing tool utilised by its operators in attacks against Office 365, GoDaddy, Virgin Fly, and Bank of America customers.

 

There are also numerous international services and financial institutions that LogoKit can impact.

Researchers still warn everybody regarding these attacks despite the website owners not usually paying much attention to open redirects as they do not enable adversaries to get data from the site.

However, the victims are the most unfortunate if these attacks are booming since the are troves of data that a threat actor can obtain from a single operation. Data such as personal information, account credentials, and money will likely be compromised if such an attack happens since most victims will assume that they are getting redirected by the site to an authentic landing page.

Experts encourage users to review these malicious URLs containing sketchy domains or proxies to avoid being victims of such scams. However, the most effective way to mitigate the effects of these kinds of scams is not to let the domain owners implement redirection in their site’s infrastructure.

About the author