Cyber crooks swipe credentials with sneaky phishing via HTTP headers

September 17, 2024
2 mins read



TLDR:

  • Cybercriminals are using HTTP headers to deliver spoofed email login pages and steal credentials.
  • The phishing attacks target large corporations in South Korea, government agencies, and schools in the U.S.

Cybersecurity researchers have observed ongoing phishing campaigns that exploit refresh entries in HTTP headers for credential theft. These attacks use response headers to automatically redirect users to spoofed email login pages, increasing the likelihood of successful credential theft. The phishing attempts target large corporations in South Korea, government agencies, and schools in the U.S., with over 2,000 malicious URLs associated with the campaigns. Phishing and business email compromise (BEC) attacks continue to be a prominent pathway for adversaries, costing organizations billions of dollars. Additionally, threat actors are leveraging deepfake videos and legitimate domains to advance their malicious activities.

Full Article:

Cybersecurity researchers have warned of ongoing phishing campaigns that abuse refresh entries in HTTP headers to deliver spoofed email login pages that are designed to harvest users’ credentials. Unlike other phishing webpage distribution behavior through HTML content, these attacks use the response header sent by a server, which occurs before the processing of the HTML content. Malicious links direct the browser to automatically refresh or reload a web page immediately, without requiring user interaction. Targets of the large-scale activity, observed between May and July 2024, include large corporations in South Korea, as well as government agencies and schools in the U.S. As many as 2,000 malicious URLs have been associated with the campaigns. Over 36% of the attacks have singled out the business-and-economy sector, followed by financial services (12.9%), government (6.9%), health and medicine (5.7%), and computer and internet (5.4%). The attacks are the latest in a long list of tactics that threat actors have employed to obfuscate their intent and trick email recipients into parting with sensitive information, including taking advantage of trending top-level domains (TLDs) and domain names to propagate phishing and redirection attacks.

The infection chains are characterized by the delivery of malicious links through header refresh URLs containing targeted recipients’ email addresses. The link to which to be redirected is embedded in the Refresh response header. The starting point of the infection chain is an email message containing a link that mimics a legitimate or compromised domain that, when clicked, triggers the redirection to the actor-controlled credential harvesting page. To lend the phishing attempt a veneer of legitimacy, the malicious webmail login pages have the recipients’ email addresses pre-filled. Attackers have also been observed using legitimate domains that offer URL shortening, tracking, and campaign marketing services. These tactics highlight the sophisticated strategies attackers use to avoid detection and exploit unsuspecting targets.

Phishing and business email compromise (BEC) continues to be a prominent pathway for adversaries looking to siphon information and perform financially motivated attacks. BEC attacks have cost U.S. and international organizations an estimated $55.49 billion between October 2013 and December 2023, with over 305,000 scam incidents reported during the same time period, according to the U.S. Federal Bureau of Investigation (FBI). The development comes amid “dozens of scam campaigns” that have leveraged deepfake videos featuring public figures, CEOs, news anchors, and top government officials to promote bogus investment schemes such as Quantum AI since at least July 2023.


Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and