Cybersecurity analysts have cautioned about continuous phishing initiatives that exploit fresh entries in HTTP headers to send counterfeit email login pages meant to gather users’ login details.
“In contrast to alternative phishing webpage delivery methods using HTML content, these assaults leverage the server’s response header, which is transmitted before the processing of HTML content,” advised Yu Zhang, Zeyu You, and Wei Wang, researchers from Palo Alto Networks Unit 42, mentioned.
“Harmful links prompt the browser to automatically refresh or reload a web page instantly, devoid of any user intervention.”
The targets of these extensive operations, noted between May and July 2024, encompass major enterprises in South Korea alongside governmental bodies and schools in the U.S. A total of 2,000 malicious URLs have been linked with these campaigns.
More than one-third of the attacks have been directed towards the business sector, with financial services, government agencies, health institutions, and computer-related entities following behind.
These attacks add to an extensive range of strategies that malevolent actors have utilized to veil their motives and deceive email recipients into revealing sensitive data, including capitalizing on popular top-level domains (TLDs) and domain names for spreading phishing and redirection campaigns.
The infection chains exhibit the transmission of malicious links via header refresh URLs that include targeted recipients’ email addresses. The target link for redirection is integrated within the Refresh response header.
The starting point of this chain is an email containing a link that mimics a genuine or compromised domain; once clicked, it triggers redirection to the actor’s controlled page for harvesting credentials.
As an attempt to make the phishing endeavor seem authentic, the malefactors populate malicious webmail login pages with the users’ email addresses. They have also resorted to leveraging legitimate domains that provide URL shortening, tracking, and campaign promotion services.
“By adeptly imitating legitimate domains and leading victims to official sites, attackers are able to cam… (truncated)
About Author
