Cybersecurity researchers are warning of an ongoing phishing campaign that exploits update entries in HTTP headers to deliver fake email login pages designed to harvest user credentials.
“Unlike other phishing web page distribution attempts via HTML content, these attacks use response headers sent by the server, which occurs before the HTML content is processed,” said Palo Alto Networks Unit 42 researchers Yu Zhang, Zeyu You and Wei Wang.
“The malicious link instructs the browser to automatically refresh or reload the web page without any user interaction.”
Targets of this massive activity, observed between May and July 2024, included major South Korean corporations, U.S. government agencies and schools, with up to 2,000 malicious URLs associated with the campaign.
More than 36% of attacks targeted the business and economic sector, followed by financial services (12.9%), government (6.9%), health and medicine (5.7%) and computer and internet (5.4%).
The attack is the latest in a number of tactics threat actors have employed to conceal their intentions and trick email recipients into handing over sensitive information, including using trending top-level domains (TLDs) and domain names to spread phishing and redirection attacks.
The infection chain is characterized by delivering a malicious link via a header refresh URL that contains the email address of the targeted recipient. The redirect link is embedded in the Refresh response header.
The infection chain starts with an email message containing a link mimicking a legitimate or compromised domain that, when clicked, triggers a redirect to an attacker-controlled credential harvesting page.
To lend a semblance of legitimacy to their phishing attacks, malicious webmail login pages are pre-filled with recipient email addresses, and attackers have also been observed using legitimate domains that offer URL shortening, tracking, and campaign marketing services.
“By cleverly mimicking legitimate domains and redirecting victims to official sites, attackers can effectively hide their true intentions and increase the likelihood of successful credential theft,” the researchers said.
“These tactics highlight the sophisticated strategies attackers use to evade detection and exploit unsuspecting targets.”
Phishing and business email compromise (BEC) remain primary methods used by attackers looking to steal information and carry out financially motivated attacks.
According to the US Federal Bureau of Investigation (FBI), BEC attacks cost US and international organizations an estimated $55.49 billion between October 2013 and December 2023, with over 305,000 fraud cases reported during the same period.
The move comes amid “dozens of fraud campaigns” that have used deepfake videos featuring celebrities, CEOs, news anchors and government officials since at least July 2023 to promote fake investment schemes, including quantum AI.
These campaigns are spread through posts and advertisements on various social media platforms, directing users to fake web pages where they are asked to fill out a registration form, after which the scammers contact them via phone and demand they pay an upfront fee of $250 to access the service.
“The scammers then instruct their victims to download a special app that allows them to further ‘invest’ their funds,” the Unit 42 researchers said. “A dashboard within the app appears to display small profits.”
“Finally, when victims try to withdraw their funds, the scammers will demand a withdrawal fee or cite other reasons why they cannot get their funds back (such as tax issues).
“The fraudsters would then lock the victim’s account and pocket the remaining funds, resulting in the loss of a large portion of the funds the victim had put into the ‘platform’.”
It also follows the discovery of a stealthy threat actor who has been posing as a legitimate company and advertising a large-scale automated CAPTCHA solving service to other cybercriminals, helping them infiltrate IT networks.
A Czech Republic-based “cyber attack support business” named Greasy Opal by Arkose Labs is believed to have been active since 2009 and offers customers what appears to be a toolkit for credential stuffing, mass fake account creation, browser automation and social media spam, priced at $190, plus an additional $10 for monthly subscriptions.
The company’s product portfolio spans the full spectrum of cybercrime, and by packaging multiple services together, it can create sophisticated business models. The company is expected to generate more than $1.7 million in revenue in 2023 alone.
“Greasy Opal employs cutting-edge OCR technology to effectively analyze and interpret text-based CAPTCHAs, even when they are distorted or obscured by noise, rotation, or occlusion,” the fraud prevention company said in a recent analysis. “The service develops machine learning algorithms that are trained on massive image datasets.”
One of those users was Vietnamese cybercrime group Storm-1152, which was previously identified by Microsoft as selling 750 million fraudulent Microsoft accounts and tools to other criminals through a network of fake websites and social media pages.
“Greasy Opal has built a thriving conglomerate of multi-faceted businesses offering not only CAPTCHA-cracking services, but also SEO-enhancing software and social media automation services that are often used in spam and can be a precursor to malware delivery,” Arkose Labs said.
“This threat actor group reflects a growing trend of companies operating in the grey zone, whose products and services are being used for downstream illicit activity.”
