Microsoft, FedEx, and other brands have been impersonated in separate phishing campaigns between mid-May and late July that involved the exploitation of an open redirect vulnerability in Snapchat and American Express domains in an effort to exfiltrate credentials and personally identifiable information, reports Threatpost.
Attackers behind the campaign using the snapchat[.]com open redirect flaw have sent 6,812 phishing emails, while those leveraging the americanexpress[.]com vulnerability have delivered 2,029 phishing messages, according to a report from INKY. Social engineering techniques have been observed in both campaigns, which were found to use exploits involving the insertion of PII in URLs that seem legitimate.
"This insertion was disguised by converting it to Base 64 to make it look like a bunch of random characters. We inserted our own random characters into these strings so that the casual observer would not be able to reverse engineer the PII strings," wrote INKY researcher Roger Kay.
Moreover, Microsoft credential harvesting sites were discovered to be the destination of both campaigns. However, American Express has already addressed the flaw but not Snapchat, said researchers.
While AeroBlade’s techniques are more sophisticated in many ways, security pros say the initial attack vector was a common spearphishing attack – something U.S. companies must do a better job protecting against.