Cybercriminals Exploit HTTP Headers for Credential Theft via Large-Scale Phishing Attacks

Cybersecurity experts have warned of continuous phishing efforts that misuse refresh entries in HTTP headers to send counterfeit email login pages that are aimed to steal victims' credentials.

"Unlike other phishing webpage distribution behavior through HTML content, these attacks use the response header sent by a server, which occurs before the processing of the HTML content," Palo Alto Networks Unit 42 researchers Yu Zhang, Zeyu You, and Wei Wang explained.

"Malicious links direct the browser to automatically refresh or reload a web page immediately, without requiring user interaction."

Targets of the wide-scale activity, noticed between May and July 2024, include significant enterprises in South Korea, as well as government entities and colleges in the U.S. As many as 2,000 malicious URLs have been related with the operations.

Over 36% of the assaults have targeted out the business-and-economy sector, followed by financial services (12.9%), government (6.9%), health and medical (5.7%), and computer and internet (5.4%).

The attacks are the latest in a long list of tactics that threat actors have employed to obfuscate their intent and trick email recipients into parting with sensitive information, including taking advantage of trending top-level domains (TLDs) and domain names to propagate phishing and redirection attacks.

The infection chains are characterized by the distribution of malicious links via header refresh URLs including targeted recipients' email addresses. The URL to which to be redirected is included in the Refresh response header.

The initial point of the infection chain is an email message with a link that resembles a valid or compromised domain that, when clicked, causes the redirection to the actor-controlled credential harvesting website.

To provide the phishing effort a veneer of respectability, the fraudulent webmail login pages include the targets' email addresses pre-filled. Attackers have also been seen exploiting legal websites that provide URL shortening, tracking, and campaign marketing services.

"By carefully mimicking legitimate domains and redirecting victims to official sites, attackers can effectively mask their true objectives and increase the likelihood of successful credential theft," the researchers concluded.

"These tactics highlight the sophisticated strategies attackers use to avoid detection and exploit unsuspecting targets."

Phishing and business email compromise (BEC) continues to be a significant vector for attackers aiming to extract information and undertake financially motivated assaults.

BEC assaults have cost U.S. and foreign organizations an estimated $55.49 billion between October 2013 and December 2023, with over 305,000 scam occurrences registered over the same time period, according to the U.S. Federal Bureau of Investigation (FBI).

The finding comes amid "dozens of scam campaigns" that have utilized deepfake videos starring prominent personalities, CEOs, TV anchors, and high government officials to promote phony investment schemes such as Quantum AI since at least July 2023.

These campaigns are propagated via posts and ads on various social media platforms, directing users to phony web pages that prompt them to fill out a form in order to sign up, after which a scammer contacts them via a phone call and asks them to pay an initial fee of $250 in order to access the service.

"The scammer instructs the victim to download a special app so that they can 'invest' more of their funds," Unit 42 researchers stated. "Within the app, a dashboard appears to show small profits."

"Finally, when the victim wants to withdraw their monies, the fraudsters either demand withdrawal fees or allege some other reason (e.g., tax concerns) for not being able to receive their funds back.

"The scammers may then lock the victim out of their account and pocket the remaining funds, causing the victim to have lost the majority of the money that they put into the 'platform.'"

It also follows the revelation of a stealthy threat actor that poses itself as a legitimate firm and has been offering automated CAPTCHA-solving services at scale to other hackers and helping them breach IT networks.

Dubbed Greasy Opal by Arkose Labs, the Czech Republic-based "cyber attack enablement business" is believed to have been operational since 2009, offering to customers a toolkit of sorts for credential stuffing, mass fake account creation, browser automation, and social media spam at a price point of $190 and an additional $10 for a monthly subscription.

The product offering spans the entire gamut, enabling them to establish a complex revenue model by putting numerous services together. The entity's revenues for 2023 alone are expected to be no less than $1.7 million.

"Greasy Opal employs cutting-edge OCR technology to effectively analyze and interpret text-based CAPTCHAs, even those distorted or obscured by noise, rotation, or occlusion," the fraud protection business said in a recent report. "The service develops machine-learning algorithms trained on extensive datasets of images."

One of its users is Storm-1152, a Vietnamese cybercrime gang that was previously exposed by Microsoft as selling 750 million phony Microsoft identities and tools via a network of bogus websites and social media pages to other criminal actors.

"Greasy Opal has built a thriving conglomerate of multi-faceted businesses, offering not only CAPTCHA-solving services but also SEO-boosting software and social media automation services that are often used for spam, which could be a precursor for malware delivery," Arkose Labs stated.

"This threat actor group reflects a growing trend of businesses operating in a gray zone, while its products and services have been used for illegal activities downstream."