Hackers target unsecured Amex and Snapchat sites to steal user data

Jimmy2x

Posts: 116   +8
Staff
Why it matters: An email-focused security firm released a blog post detailing a phishing attack targeting unsecured American Express and Snapchat sites. The identified exploit uses a known open redirect vulnerability that allows threat actors to specify a redirect URL, driving traffic to fraudulent sites designed to steal user information.

Maryland-based security firm Inky Security tracked attack activity related to the vulnerability from mid-May through mid-July. The phishing attack relies on a known open redirect vulnerability (CWE-601) and popular brand recognition to deceive and harvest credentials from unsuspecting Google Workspace and Microsoft 365 users.

The attacks targeted unsecured sites from Snapchat and American Express. Snapchat-based attacks resulted in more than 6,800 attacks over a two-and-a-half-month period. The American Express-based attacks were much more effective, affecting over 2,000 users in just two days.

The Snapchat-based emails drove users to fraudulent DocuSign, FedEx, and Microsoft sites to harvest user credentials. Snapchat's open redirect vulnerability was initially identified by openbugbounty more than a year ago. Unfortunately, the exploit still appears to be unaddressed.

American Express appears to have remediated the vulnerability, which redirected users to an O365 login page similar to the one that the Snapchat-based attacks used.

This specific phishing attack uses three primary techniques: brand impersonation, credential harvesting, and hijacked accounts. Brand recognition relies on recognizable logos and trademarks to create a sense of trust with the potential victim leading to the user's credentials being entered into and harvested from the fraudulent site. Once harvested, hackers can sell the stolen information to other criminals for profit or use the information to access and obtain the victim's personal and financial information.

Open redirect vulnerabilities don't tend to get the same level of care and attention as other identified exploits. Additionally, most risk exposure is on the user rather than the site owner. The blog post provides additional background and guidance to help users stay safe and keep their data out of the wrong hands. These tips help users identify key terms and characters that may indicate if a redirect is occurring from a trusted domain.

Permalink to story.

 

Neatfeatguy

Posts: 927   +1,607
Holy crap people are f'ing stupid.

I recently had an email from Discovery+ saying my payment was going to expire (got a new bank card, didn't update my payment, it slipped my mind). The email has a link to click.

The email address that the email came from looked legit, but instead of clicking on the link I pulled up discovery's actually website, logged into my account and changed my payment subscription info there.

Don't just click on stuff, people. I'd say use your brain and be smart about it, but clearly many of you aren't and you probably shouldn't be using the internet, email or any kind of electronic payment. I'd say go back to using cash and checks, but now that I think about it....
A lot of people don't know how to count, so handing out cash might be overwhelming because they won't know what bills/coins to use. Oh man...coins! I forgot about them. Some people don't know how to add up coins....then they probably wouldn't be able to confirm they've been give the correct change back.

Okay, that's okay, we can fall back to using checks.
But, there are probably a lot of people that don't even know what a check is or how to write one out. Even if they did figure out how to write a check. When you write a check you need to balance your checkbook. Damn, that falls back to being able to count and do basic math and a lot of people aren't good at that. I guess you could forego balancing your checkbook, but you'll be playing a dangerous game of overdrafting your checking account. So, checks might work.

Dang it! I forgot that paying bills with a check requires you to mail them out. I bet you that a lot of them wouldn't even know how to address an envelope to send it out in the mail.....man, they probably don't even know stuff going into the mail requires postage!

Oh geez! These people are screwed no matter what they do!
 

Uncle Al

Posts: 9,072   +8,104
Public execution's of hackers, scammers, etc. would go a long way towards ending the problem. Won't stop some from trying but it will eliminate them, one at a time = no repeat offenders. Think that's too harsh? Tell that to the person that has had their entire life savings stolen and now lives on the street without healthcare, proper food, or a place to safely sleep each night.
 

Hodor

Posts: 113   +67
Public execution's of hackers, scammers, etc. would go a long way towards ending the problem. Won't stop some from trying but it will eliminate them, one at a time = no repeat offenders. Think that's too harsh? Tell that to the person that has had their entire life savings stolen and now lives on the street without healthcare, proper food, or a place to safely sleep each night.


But since many of them work for the governments (including the US), or for large IT corporations that want to cripple or humiliate competitors...... such a law would be impossible to pass.

As one research in the past has shown, most of the spam received from Russian and North Korean addresses was actually (after many in-between steps) coming from US servers. But the US govt never penalized groups that were spamming and scamming the entire world. Why? You have one guess.
 

kiwigraeme

Posts: 1,195   +871
Public execution's of hackers, scammers, etc. would go a long way towards ending the problem. Won't stop some from trying but it will eliminate them, one at a time = no repeat offenders. Think that's too harsh? Tell that to the person that has had their entire life savings stolen and now lives on the street without healthcare, proper food, or a place to safely sleep each night.

Always consistent to a T - our resident hanging judge .
I was thinking about crime today - we have spate of young people doing ramraids in NZ .

Apparently here in NZ they claim number of offenders down - however those that crime are more persistent . Ie is there are more career criminals

so my take - decriminalize most drugs , soliciting etc . So police can concentrate on these career/gang criminals - taking away drugs, prostitution etc helps defund a lot of their easy money

As stated above educate people not click on unsolicited links ( ie unlike click this link to prove email address - 10 seconds after registration )
Search for phone number to confirm bank details for bank payments - assume the invoice is a man in the middle etc

The problem is putting pressure on countries harbouring these crims - some of it is state sponsored to boot

The right Crime pays and pays very well - we have to make it less profitable .
The problem is companies have a tolerance of acceptable crime cost - I've always thought this a wrong strategy - now it's harder to stop - as criminals have been feeding for along time - eg Visa fraud
Blockchain etc could help , new security measures coming by MS/ Google /Apple etc .
For the conspiracy people - having every financial transaction traceable to a person will cause them sleepless nights - maybe some anonymity can be built in - needing a court order .
Money Laundering is becoming harder - as countries bring in requirement for say car dealers to get ID and report large cash transactions .
Still sophisticated gangs will thrive - at least have the cops not wasting time on people smoking grass etc ( I don't do drugs - I hardly drink - have 3 or 4 HQ bottles of spirit gifted me sitting unopened - like expensive single malt )
Problem is there are some serious vulnerable people - go buy 200 apple gift cards - say what ??
 

Hotlynx16

Posts: 52   +11
Holy crap people are f'ing stupid.

I recently had an email from Discovery+ saying my payment was going to expire (got a new bank card, didn't update my payment, it slipped my mind). The email has a link to click.

The email address that the email came from looked legit, but instead of clicking on the link I pulled up discovery's actually website, logged into my account and changed my payment subscription info there.

Don't just click on stuff, people. I'd say use your brain and be smart about it, but clearly many of you aren't and you probably shouldn't be using the internet, email or any kind of electronic payment. I'd say go back to using cash and checks, but now that I think about it....
A lot of people don't know how to count, so handing out cash might be overwhelming because they won't know what bills/coins to use. Oh man...coins! I forgot about them. Some people don't know how to add up coins....then they probably wouldn't be able to confirm they've been give the correct change back.

Okay, that's okay, we can fall back to using checks.
But, there are probably a lot of people that don't even know what a check is or how to write one out. Even if they did figure out how to write a check. When you write a check you need to balance your checkbook. Damn, that falls back to being able to count and do basic math and a lot of people aren't good at that. I guess you could forego balancing your checkbook, but you'll be playing a dangerous game of overdrafting your checking account. So, checks might work.

Dang it! I forgot that paying bills with a check requires you to mail them out. I bet you that a lot of them wouldn't even know how to address an envelope to send it out in the mail.....man, they probably don't even know stuff going into the mail requires postage!

Oh geez! These people are screwed no matter what they do!
I still have one bill that requires a check or money order,life insurance of all things!! I get it on the 15th and they want it sent by the 20th,AGGR!
 

kiwigraeme

Posts: 1,195   +871
I still have one bill that requires a check or money order,life insurance of all things!! I get it on the 15th and they want it sent by the 20th,AGGR!
In NZ checks are now pretty much finished -maybe can still get bank cheques .
From info I have USA cheques were not that secure - something to do with a number associated with each cheque ( correct spelling :) ) .
Plus a lot of people get scammed on bank/ebay "deposits"- I think Ebay you don't have money until certain time - best safety is to take it .
Check you bank Sir - the money is deposited - if you really check the transaction it shows deposited but not yet in available funds.

Hey can you give me $100 cash - give in your bank account and I show you my transfer - says the scammer
 

bviktor

Posts: 952   +1,394
But since many of them work for the governments (including the US), or for large IT corporations that want to cripple or humiliate competitors...... such a law would be impossible to pass.

As one research in the past has shown, most of the spam received from Russian and North Korean addresses was actually (after many in-between steps) coming from US servers. But the US govt never penalized groups that were spamming and scamming the entire world. Why? You have one guess.
No, the US government doesn't deploy hackers to scam citizens. Take down your tin foil hat.