DevOps: Fix your dangerous redirects! Amex shows how

Richi Jennings
Blog Author

Richi Jennings, Independent industry analyst, editor, and content strategist. Read More...


Recent ‘LogoKit’ spear phishing campaigns have misused open redirect URLs in web apps from Snapchat and American Express. When alerted, Amex quickly fixed the hole, but Snap’s is still open after more than a year.

Many DevOps teams are still ignoring the danger of insecure redirector pages, which help phishing attacks look genuine. Even if it’s impractical to lock down a redirector, you can at least instrument it and alert on patterns that indicate an attack is under way: Then you can lock it down to avoid bad publicity—e.g., this story.

Be better netizens, DevOps teams. In this week’s Secure Software Blogwatch, we audit our URLs.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: ST:P vs. ST:TNG canon.

And Snap shows how not

What’s the craic? Sergiu Gatlan reports—“Snapchat, Amex sites abused in Microsoft 365 phishing attacks”:

Impersonated Microsoft, DocuSign, and FedEx
Attackers abused open redirects on the websites of Snapchat and American Express in a series of phishing attacks. … Open redirects are web app weaknesses that allow threat actors to use the domains of trusted organizations and websites as temporary landing pages to simplify phishing attacks.

The Snapchat open redirect [and] the Amex open redirect … impersonated Microsoft, DocuSign, and FedEx and redirected the recipients to landing pages designed to harvest Microsoft [365] credentials.

Also, Mister Alessandro Mascellino adds more—“Hackers Exploit Open Redirect Vulnerabilities to Conduct LogoKit Phishing Campaigns”:

Sending the target’s email and password
Threat actors … leveraged Open Redirect Vulnerabilities in … highly trusted service domains like Snapchat … to create special URLs that then lead to malicious resources with phishing kits. … The tools used as part of these attacks were part of LogoKit, which was previously used in attacks against several financial institutions and online services.

Once the victim navigates to the URL, their email is then auto-filled in the email or username field, tricking them into believing they’ve logged into the service before. … Should the victim then enter their password, LogoKit then performs an AJAX request, sending the target's email and password to an external source, then finally redirecting the victim to their “legitimate” corporate website.

For example? Elizabeth Montalbano obliges—“Open Redirect Flaw”:

Malicious redirect
Open redirect is a security vulnerability that occurs when a website fails to validate user input, which allows bad actors to manipulate the URLs of domains from legitimate entities with good reputations to redirect victims to malicious sites, researchers said. The vulnerability is well known and tracked as CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’).

An example of the malicious redirect … is: http://safe.com/redirect?url=http://malicious.com. The trusted domain [is,] in this case, American Express or Snapchat.

What should DevOps do? Inky discovered the campaign and suggests some ideas—“Phishers Bounce Lures Off Unprotected Snapchat, Amex Sites”:

Domain owners can prevent this abuse
Since the first domain name in the manipulated link is in fact the original site’s, the link may appear safe to the casual observer. The trusted domain … acts as a temporary landing page before the surfer is redirected to a malicious site … which may harvest credentials or distribute malware.

Perhaps websites don’t give open redirect vulnerabilities the attention they deserve because they don’t allow attackers to harm or steal data from the site. … The victims, however, may lose credentials, data, and possibly money.

Open Bug Bounty reported the Snapchat vulnerability to the company on Aug. 4, 2021. However, it remains unpatched.

Domain owners can prevent this abuse by avoiding the implementation of redirection in the site architecture. If the redirection is necessary … then implementing an allowlist of approved safe links prevents bad actors from inputting malicious links. Domain owners can also present users with an external redirection disclaimer that requires user clicks before redirecting to external sites.

As did Resecurity, at least by suggesting what not to do—“The Phishing Kit Leveraging Open Redirect Vulnerabilities”:

Open Redirect vulnerabilities significantly facilitate LogoKit distribution
The kit identified is named LogoKit, which was previously used in attacks against the customers of Office 365, Bank of America, GoDaddy, Virgin Fly, and many other[s]. … LogoKit is known for its dynamic content generation using JavaScript – it is able to change logos (of the impersonated service) and text on the landing pages in real-time to adapt on the fly, by doing so the targeted victims are more likely to interact with the malicious resource.

Unfortunately the use of Open Redirect vulnerabilities significantly facilitates LogoKit distribution, as many (even popular) online-services don’t treat such bugs as critical. … In some cases [they] don’t even patch, leaving the open door for such abuse.

And don’t think 2FA/MFA will solve this. Sudeep Singh and Jagadeeswar Ramanukolanu explain—“AiTM phishing attack targeting enterprise users of Gmail”:

Should not be considered as a silver bullet
Beginning in mid-July 2022 … adversary-in-the-middle (AiTM) phishing attacks [were] targeted towards enterprise users of Gmail. … We identified multiple similarities between this campaign and the previous AiTM phishing campaign targeting users of Microsoft email services.

AiTM phishing kits can be used to target various websites and bypass multi-factor authentication. … These phishing emails were sent to chief executives and other senior members of the targeted organizations in the US. In some cases, the emails were also sent to the executive assistants of the CEOs and CFOs.

It is important to understand that such attacks are not limited to only Microsoft and Gmail enterprise users. An attacker can bypass multi-factor authentication protection on many different services using this method. … Even though security features such as … MFA add an extra layer of security, they should not be considered as a silver bullet.

But Neatfeatguy prefers to blame the victims:

Holy **** people are ****ing stupid. … Don't just click on stuff, people. I'd say use your brain and be smart about it, but clearly many of you aren't and you probably shouldn't be using the internet.

Is that entirely fair? Ryan McCurdy thinks not:

The main reason that phishing scams are so convincing is that they often mimic the look of a brand or a credible person down to a very fine detail. To make matters worse, they prey on human action bias, with a call to action stating that attention must be taken right now.

Meanwhile Uncle Al knows the only way to be sure:

Public executions of hackers, scammers, etc. would go a long way towards ending the problem. … Eliminate them, one at a time = no repeat offenders.

Think that's too harsh? Tell that to the person that has had their entire life savings stolen and now lives on the street without healthcare, proper food, or a place to safely sleep each night.

And Finally:

Canon portals


Previously in And finally

You have been reading Secure Software Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or ssbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Mark König (via Unsplash; leveled and cropped)