Cybercriminals Leverage HTTP Headers to Steal Credentials in Widespread Phishing Attacks

Cybersecurity researchers have raised alarms about ongoing phishing campaigns that exploit HTTP headers’ refresh entries to deliver fake email login pages aimed at stealing users’ credentials.

“Unlike traditional phishing attacks that rely on HTML content, these attacks manipulate the response header sent by the server, which occurs before the HTML content is processed,” noted Palo Alto Networks Unit 42 researchers Yu Zhang, Zeyu You, and Wei Wang.

In these attacks, malicious links prompt the browser to automatically refresh or reload a webpage without any user action.

Between May and July 2024, the large-scale campaigns have targeted major corporations in South Korea, as well as government agencies and schools in the U.S. Around 2,000 malicious URLs have been identified as part of the operation.

Over 36% of the attacks have focused on the business and economy sector, followed by financial services (12.9%), government (6.9%), health and medicine (5.7%), and computer and internet services (5.4%).

These attacks are part of a broader range of tactics used by cybercriminals to hide their intentions and deceive users into providing sensitive information. They also take advantage of popular top-level domains (TLDs) and domain names to launch phishing and redirection campaigns.

The infection chain begins with an email containing a link that resembles a legitimate or compromised domain. Clicking on the link redirects the victim to a credential-stealing page controlled by the attacker.

To make the phishing attempt seem more credible, the spoofed email login pages often have the user’s email address pre-filled. The attackers have also used legitimate domains offering URL shortening, tracking, and marketing services to further obscure their activities.

“By closely mimicking legitimate domains and redirecting victims to authentic-looking sites, attackers effectively conceal their true motives and increase the chances of successful credential theft,” the researchers added.

These sophisticated techniques illustrate how attackers continue to evolve to evade detection and exploit unsuspecting individuals.

Phishing and business email compromise (BEC) remain significant threats, with adversaries increasingly targeting organizations for financial gain. According to the FBI, BEC scams cost U.S. and international businesses an estimated $55.49 billion between October 2013 and December 2023, with over 305,000 incidents reported.

The warning comes as “dozens of scam campaigns” have used deepfake videos featuring public figures and CEOs to promote fraudulent investment schemes, such as Quantum AI, since at least July 2023.

These scams, propagated via social media posts and ads, direct victims to fake websites where they are prompted to fill out forms to sign up. Scammers then contact them, requesting a $250 upfront fee to access the supposed service.

The scammers instruct victims to download a special app for further investment, displaying fake profits on a dashboard. When victims attempt to withdraw funds, scammers demand additional fees or cite reasons such as tax issues, ultimately locking the victims out of their accounts and stealing their money.

In parallel, a stealthy threat actor, dubbed Greasy Opal by Arkose Labs, has been offering automated CAPTCHA-solving services at scale, helping other cybercriminals breach IT networks. Greasy Opal, believed to have been active since 2009, provides tools for credential stuffing, mass fake account creation, browser automation, and social media spam for $190, plus a $10 monthly subscription.

With an estimated $1.7 million in revenue for 2023 alone, Greasy Opal’s services range from CAPTCHA-solving to SEO-boosting and social media automation, often used for spam that could lead to malware distribution.

One of its notable clients is Storm-1152, a Vietnamese cybercrime group previously identified by Microsoft for selling 750 million fraudulent Microsoft accounts and tools through a network of fake websites and social media platforms.

“Greasy Opal’s operations illustrate a growing trend of cybercriminal enterprises operating in the shadows, packaging their services for downstream illegal activities,” Arkose Labs concluded.