Cybersecurity researchers have warned of ongoing phishing campaigns that abuse refresh entries in HTTP headers to ship spoofed e mail login pages which are designed to reap customers’ credentials.
“Unlike other phishing webpage distribution behavior through HTML content, these attacks use the response header sent by a server, which occurs before the processing of the HTML content,” Palo Alto Networks Unit 42 researchers Yu Zhang, Zeyu You, and Wei Wang stated.
“Malicious links direct the browser to automatically refresh or reload a web page immediately, without requiring user interaction.”
Targets of the large-scale exercise, noticed between Could and July 2024, embrace giant companies in South Korea, in addition to authorities businesses and faculties within the U.S. As many as 2,000 malicious URLs have been related to the campaigns.
Over 36% of the assaults have singled out the business-and-economy sector, adopted by monetary companies (12.9%), authorities (6.9%), well being and drugs (5.7%), and laptop and web (5.4%).
The assaults are the most recent in a lengthy listing of techniques that menace actors have employed to obfuscate their intent and trick e mail recipients into parting with delicate info, together with taking benefit of trending top-level domains (TLDs) and domains to propagate phishing and redirection assaults.
The an infection chains are characterised by the supply of malicious hyperlinks by way of header refresh URLs containing focused recipients’ e mail addresses. The hyperlink to which to be redirected is embedded within the Refresh response header.
The place to begin of the an infection chain is an e mail message containing a hyperlink that mimics a reputable or compromised area that, when clicked, triggers the redirection to the actor-controlled credential harvesting web page.
To lend the phishing try a veneer of legitimacy, the malicious webmail login pages have the recipients’ e mail addresses pre-filled. Attackers have additionally been noticed utilizing reputable domains that provide URL shortening, monitoring, and marketing campaign advertising companies.
“By carefully mimicking legitimate domains and redirecting victims to official sites, attackers can effectively mask their true objectives and increase the likelihood of successful credential theft,” the researchers stated.
“These tactics highlight the sophisticated strategies attackers use to avoid detection and exploit unsuspecting targets.”
Phishing and enterprise e mail compromise (BEC) continues to be a distinguished pathway for adversaries trying to siphon info and carry out financially motivated assaults.
BEC assaults have price U.S. and worldwide organizations an estimated $55.49 billion between October 2013 and December 2023, with over 305,000 rip-off incidents reported throughout the identical time interval, in response to the U.S. Federal Bureau of Investigation (FBI).
The event comes amid “dozens of scam campaigns” which have leveraged deepfake movies that includes public figures, CEOs, information anchors, and prime authorities officers to advertise bogus funding schemes corresponding to Quantum AI since a minimum of July 2023.
These campaigns are propagated by way of posts and advertisements on varied social media platforms, directing customers to phony internet pages that immediate them to fill out a kind as a way to enroll, after which a scammer contacts them by way of a cellphone name and asks them to pay an preliminary payment of $250 as a way to entry the service.
“The scammer instructs the victim to download a special app so that they can ‘invest’ more of their funds,” Unit 42 researchers stated. “Within the app, a dashboard appears to show small profits.”
“Lastly, when the sufferer tries to withdraw their funds, the scammers both demand withdrawal charges or cite another purpose (e.g., tax points) for not with the ability to get their funds again.
“The scammers may then lock the victim out of their account and pocket the remaining funds, causing the victim to have lost the majority of the money that they put into the ‘platform.'”
It additionally follows the invention of a stealthy menace actor that presents itself as a reputable enterprise and has been promoting automated CAPTCHA-solving companies at scale to different cybercriminals and serving to them infiltrate IT networks.
Dubbed Greasy Opal by Arkose Labs, the Czech Republic-based “cyber attack enablement business” is believed to have been operational since 2009, providing to prospects a toolkit of types for credential stuffing, mass faux account creation, browser automation, and social media spam at a value level of $190 and a further $10 for a month-to-month subscription.
The product portfolio runs the cybercrime gamut, permitting them to develop a complicated enterprise mannequin by packaging a number of companies collectively. The entity’s revenues for 2023 alone are stated to be at least $1.7 million.
“Greasy Opal employs cutting-edge OCR technology to effectively analyze and interpret text-based CAPTCHAs, even those distorted or obscured by noise, rotation, or occlusion,” the fraud prevention firm famous in a latest evaluation. “The service develops machine-learning algorithms trained on extensive datasets of images.”
Considered one of its customers is Storm-1152, a Vietnamese cybercrime group that was beforehand recognized by Microsoft as promoting 750 million fraudulent Microsoft accounts and instruments by way of a community of bogus web sites and social media pages to different legal actors.
“Greasy Opal has built a thriving conglomerate of multi-faceted businesses, offering not only CAPTCHA-solving services but also SEO-boosting software and social media automation services that are often used for spam, which could be a precursor for malware delivery,” Arkose Labs stated.
“This threat actor group reflects a growing trend of businesses operating in a gray zone, while its products and services have been used for illegal activities downstream.”
