Researchers recently discovered a series of phishing campaigns exploiting HTTP header refresh entries to redirect users to spoofed login pages that collect sensitive credentials. Unlike typical phishing strategies, these attacks leverage server-side response headers, bypassing HTML content processing to deceive users more effectively. The campaigns, observed from May to July 2024, primarily targeted large corporations in South Korea and government agencies, schools, and various businesses in the United States, leading to over 2,000 malicious URLs associated with the attacks.
Key sectors impacted by these phishing activities include business, financial services, government, healthcare, and internet services, with business-related entities comprising more than a third of the total victims. Attackers use unique tactics to increase their success rate, such as pre-filling login pages with the targets’ email addresses and incorporating legitimate URLs and domain names to disguise their malicious intent. Through such methods, threat actors have managed to mask their true goals, making their phishing schemes more challenging to detect and stop.
The infection method begins with a deceptive email that contains a link appearing to lead to a legitimate domain. Once the link is clicked, however, the browser automatically redirects to a credential-harvesting page controlled by the attackers, without requiring any user action. To increase the credibility of the scam, some campaigns even employ domain shortening and marketing services to track and propagate their phishing links, further increasing the likelihood that unsuspecting users will provide their information.
This phishing wave reflects broader trends, including the rise in business email compromise (BEC) attacks, which have already cost global organizations an estimated $55 billion since 2013. Cybercriminals continue to diversify their techniques, taking advantage of emerging tools and services like CAPTCHA-breaking software from third-party suppliers. This trend highlights the growing sophistication of threat actors who constantly adapt to evade detection, posing increasing risks for businesses and individuals alike.
Reference:
