Cybercriminals Exploit HTTP Headers for Credential Theft via Large-Scale Phishing Attacks

Cybersecurity researchers have warned of ongoing phishing campaigns that abuse refresh entries in HTTP headers to deliver spoofed email login pages that are designed to harvest users’ credentials.

“Unlike other phishing webpage distribution behavior through HTML content, these attacks use the response header sent by a server, which occurs before the processing of the HTML content,” Palo Alto Networks Unit 42 researchers Yu Zhang, Zeyu You, and Wei Wang said.

“Malicious links direct the browser to automatically refresh or reload a web page immediately, without requiring user interaction.”

Targets of the large-scale activity, observed between May and July 2024, include large corporations in South Korea, as well as government agencies and schools in the U.S. As many as 2,000 malicious URLs have been associated with the campaigns.

Over 36% of the attacks have singled out the business-and-economy sector, followed by financial services (12.9%), government (6.9%), health and medicine (5.7%), and computer and internet (5.4%).

The attacks are the latest in a long list of tactics that threat actors have employed to obfuscate their intent and trick email recipients into parting with sensitive information, including taking advantage of trending top-level domains (TLDs) and domain names to propagate phishing and redirection attacks.

The infection chains are characterized by the delivery of malicious links through header refresh URLs containing targeted recipients’ email addresses. The link to which to be redirected is embedded in the Refresh response header.

The starting point of the infection chain is an email message containing a link that mimics a legitimate or compromised domain that, when clicked, triggers the redirection to the actor-controlled credential harvesting page.

To lend the phishing attempt a veneer of legitimacy, the malicious webmail login pages have the recipients’ email addresses pre-filled. Attackers have also been observed using legitimate domains that offer URL shortening, tracking, and campaign marketing services.

“By carefully mimicking legitimate domains and redirecting victims to official sites, attackers can effectively mask their true objectives and increase the likelihood of successful credential theft,” the researchers said.

“These tactics highlight the sophisticated strategies attackers use to avoid detection and exploit unsuspecting targets.”

Phishing and business email compromise (BEC) continues to be a prominent pathway for adversaries looking to siphon information and perform financially motivated attacks.

BEC attacks have cost U.S. and international organizations an estimated $55.49 billion between October 2013 and December 2023, with over 305,000 scam incidents reported during the same time period, according to the U.S. Federal Bureau of Investigation (FBI).

The development comes amid “dozens of scam campaigns” that have leveraged deepfake videos featuring public figures, CEOs, news anchors, and top government officials to promote bogus investment schemes such as Quantum AI since at least July 2023.

These campaigns are propagated via posts and ads on various social media platforms, directing users to phony web pages that prompt them to fill out a form in order to sign up, after which a scammer contacts them via a phone call and asks them to pay an initial fee of $250 in order to access the service.

“The scammer instructs the victim to download a special app so that they can ‘invest’ more of their funds,” Unit 42 researchers said. “Within the app, a dashboard appears to show small profits.”

“Finally, when the victim tries to withdraw their funds, the scammers either demand withdrawal fees or cite some other reason (e.g., tax issues) for not being able to get their funds back.

“The scammers may then lock the victim out of their account and pocket the remaining funds, causing the victim to have lost the majority of the money that they put into the ‘platform.'”

It also follows the discovery of a stealthy threat actor that presents itself as a legitimate enterprise and has been advertising automated CAPTCHA-solving services at scale to other cybercriminals and helping them infiltrate IT networks.

Dubbed Greasy Opal by Arkose Labs, the Czech Republic-based “cyber attack enablement business” is believed to have been operational since 2009, offering to customers a toolkit of sorts for credential stuffing, mass fake account creation, browser automation, and social media spam at a price point of $190 and an additional $10 for a monthly subscription.

The product portfolio runs the cybercrime gamut, allowing them to develop a sophisticated business model by packaging several services together. The entity’s revenues for 2023 alone are said to be no less than $1.7 million.

“Greasy Opal employs cutting-edge OCR technology to effectively analyze and interpret text-based CAPTCHAs, even those distorted or obscured by noise, rotation, or occlusion,” the fraud prevention company noted in a recent analysis. “The service develops machine-learning algorithms trained on extensive datasets of images.”

One of its users is Storm-1152, a Vietnamese cybercrime group that was previously identified by Microsoft as selling 750 million fraudulent Microsoft accounts and tools through a network of bogus websites and social media pages to other criminal actors.

“Greasy Opal has built a thriving conglomerate of multi-faceted businesses, offering not only CAPTCHA-solving services but also SEO-boosting software and social media automation services that are often used for spam, which could be a precursor for malware delivery,” Arkose Labs said.

“This threat actor group reflects a growing trend of businesses operating in a gray zone, while its products and services have been used for illegal activities downstream.”

Related Articles

Back to top button