• Posted by: Michael Johnson
• September 16, 2024

Phishing Campaigns Use HTTP Headers to Deliver Fake Email Login Pages

Cybersecurity experts have raised alarms about a new wave of phishing campaigns that manipulate HTTP headers to deliver spoofed email login pages aimed at stealing user credentials.

"These attacks are distinct from traditional phishing methods using HTML content," explained researchers Yu Zhang, Zeyu You, and Wei Wang from Palo Alto Networks Unit 42. "Instead, the response header is altered, which directs the browser to refresh or reload the page automatically, no user interaction needed."

These attacks, active between May and July 2024, have primarily targeted major corporations in South Korea, as well as U.S. government agencies and educational institutions. So far, around 2,000 malicious URLs have been linked to the campaign.

More than 36% of these attacks were aimed at the business and economy sector, with additional targets including financial services (12.9%), government entities (6.9%), healthcare (5.7%), and the IT sector (5.4%).

These phishing tactics are part of a growing arsenal used by threat actors to obscure their intentions. By leveraging trending top-level domains (TLDs) and domain names, attackers are better able to execute phishing and redirection attacks.

The attack flow typically begins with an email that contains a malicious link mimicking a legitimate or compromised domain. When the link is clicked, it redirects the victim to a phishing page that pre-fills their email address, adding an extra layer of credibility. These campaigns also take advantage of legitimate services like URL shorteners, trackers, and marketing platforms to enhance their cover.

"Attackers can cleverly hide their true intentions by mimicking legitimate domains and redirecting users to real websites. This not only increases their chances of success but also evades detection," the researchers noted.

Phishing and business email compromise (BEC) remain major threats, enabling adversaries to steal sensitive information and carry out financially motivated attacks. According to the U.S. FBI, BEC scams have caused losses of $55.49 billion globally from October 2013 to December 2023, with more than 305,000 incidents reported during that period.

This rise in phishing attacks coincides with a surge in scam campaigns utilizing deepfake videos featuring public figures and government officials to promote fake investment opportunities like Quantum AI. These scams lure victims through social media ads, requesting an initial investment of $250 before escalating demands for more funds.

Scammers further manipulate their victims through fraudulent apps that show fake investment profits. When victims attempt to withdraw their money, they're met with additional fees or tax-related excuses. Eventually, they are locked out of their accounts, losing their initial investment.

In a related discovery, researchers also uncovered a cybercrime enterprise called "Greasy Opal," which has been offering CAPTCHA-solving services since 2009. Based in the Czech Republic, the group has enabled cybercriminals to bypass CAPTCHA protections, allowing them to commit credential stuffing, fake account creation, and social media spam. In 2023 alone, Greasy Opal reportedly earned at least $1.7 million.

Greasy Opal's services extend beyond CAPTCHA-solving, with offerings that include SEO-boosting software and social media automation tools often used for spam and malware delivery. This has made it a go-to for cybercriminal groups like Storm-1152, a Vietnamese syndicate involved in selling millions of fraudulent Microsoft accounts.

As cybercriminals continue to evolve their tactics, organizations must stay vigilant against sophisticated phishing attacks and ensure robust security measures are in place to mitigate the risks.