Cybersecurity experts have issued a warning over persistent phishing campaigns that exploit HTTP header refresh entries to provide counterfeit email login pages intended to collect user credentials.
“Unlike other phishing webpage distribution behavior through HTML content, these attacks use the response header sent by a server, which occurs before the processing of the HTML content,” Palo Alto Networks Unit 42 researchers Yu Zhang, Zeyu You, and Wei Wang said.
“Malicious links direct the browser to automatically refresh or reload a web page immediately, without requiring user interaction.”
Large South Korean enterprises, as well as American government organizations and educational institutions, are the targets of the extensive effort, which is expected to occur between May and July of 2024. There are 2,000 or more malicious URLs connected to the campaigns.
The business and economy sector has been targeted for almost 36% of the attacks, with financial services (12.9%), government (6.9%), health and medical (5.7%), and computers and the internet (5.4%) coming in second and third, respectively.
Using popular top-level domains (TLDs) and domain names to spread phishing and redirection attacks are just a few of the many strategies threat actors have used to hide their true intentions and fool email recipients into divulging sensitive information.
The distribution of harmful links via header refresh URLs that contain the email addresses of the intended recipients is what distinguishes the infection chains. The Refresh response header contains an embedded link that directs the user to the destination.
An email message that seems like it comes from a trustworthy or hacked domain is the first step in the infection chain. Clicking on the link directs the user to the actor-controlled credential harvesting page.
The fraudulent webmail login pages have the victims’ email addresses pre-filled in order to give the phishing endeavor the appearance of validity. Attackers have also been seen utilizing reputable domains that provide tracking, campaign marketing, and URL shortening services.
“By carefully mimicking legitimate domains and redirecting victims to official sites, attackers can effectively mask their true objectives and increase the likelihood of successful credential theft,” the researchers said.
“These tactics highlight the sophisticated strategies attackers use to avoid detection and exploit unsuspecting targets.”
Business email compromise (BEC) and phishing remain popular avenues for attackers seeking to steal data and launch financially motivated assaults.
The U.S. Federal Bureau of Investigation (FBI) estimates that between October 2013 and December 2023, BEC attacks cost U.S. and international organizations an estimated $55.49 billion. During that same period, over 305,000 scam instances were reported.
This comes in the midst of “dozens of scam campaigns” that, since at least July 2023, have promoted phony investment schemes like Quantum AI by using deepfake videos of prominent politicians, CEOs, news anchors, and public figures.
These campaigns are spread through posts and advertisements on different social media platforms, sending users to bogus websites that ask them to fill out a form in order to register. Once they do, a scammer calls the victim and demands $250 as an upfront payment to gain access to the service.
“The scammer instructs the victim to download a special app so that they can ‘invest’ more of their funds,” Unit 42 researchers said. “Within the app, a dashboard appears to show small profits.”
“Finally, when the victim tries to withdraw their funds, the scammers either demand withdrawal fees or cite some other reason (e.g., tax issues) for not being able to get their funds back.
“The scammers may then lock the victim out of their account and pocket the remaining funds, causing the victim to have lost the majority of the money that they put into the ‘platform.'”
It also comes after the identification of a cunning threat actor that poses as a respectable company and has been assisting other hackers in breaking into IT networks by widely advertising automated CAPTCHA-solving services.
Called Greasy Opal by Arkose Labs, the Czech Republic-based “cyber attack enablement business” is thought to have been in operation since 2009. Customers can purchase a sort of toolkit for $190 plus an extra $10 per month for use in social media spam, browser automation, mass credential stuffing, and mass fake account creation.
Their product offering covers the whole spectrum of cybercrime, which enables them to package multiple services together and create a smart business model. The company is expected to generate at least $1.7 million in sales in 2023 alone.
“Greasy Opal employs cutting-edge OCR technology to effectively analyze and interpret text-based CAPTCHAs, even those distorted or obscured by noise, rotation, or occlusion,” the fraud prevention company noted in a recent analysis. “The service develops machine-learning algorithms trained on extensive datasets of images.”
Storm-1152, a Vietnamese cybercrime outfit that Microsoft previously exposed for peddling 750 million phony Microsoft identities and tools to other criminal actors via a network of shady websites and social media pages, is one of its users.
“Greasy Opal has built a thriving conglomerate of multi-faceted businesses, offering not only CAPTCHA-solving services but also SEO-boosting software and social media automation services that are often used for spam, which could be a precursor for malware delivery,” Arkose Labs said.
“This threat actor group reflects a growing trend of businesses operating in a gray zone, while its products and services have been used for illegal activities downstream.”
Also read: Unveiling the Ethical Imperatives: Navigating the Intersection of AI and Cybersecurity
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
