Cybersecurity researchers have warned of ongoing phishing campaigns that abuse update entries in HTTP headers to deliver fake email login pages designed to harvest user credentials.
“Unlike other methods of distributing phishing web pages through HTML content, these attacks use a response header sent by the server that occurs before the HTML content is processed,” Palo Alto Networks Division 42 researchers Yu Zhang, Zeyu Yu, and Wei Wang said.
“Malicious links direct the browser to automatically refresh or immediately reload the web page without requiring user interaction.”
Large corporations in South Korea, as well as government agencies and schools in the United States, were the targets of large-scale activity observed between May and July 2024. About 2,000 malicious URLs were associated with the companies.
Over 36% of attacks targeted the business and economic sector, followed by financial services (12.9%), government (6.9%), health and medical (5.7%), computer and internet ( 5.4 %).
The attacks are the latest in a a long list with tactics which threat actors used to hide their intentions and trick email recipients into parting with sensitive information, including taking advantage of popular top-level domains (TLDs) and domain names to spread phishing and redirect attacks.
Infection chains are characterized by the delivery of malicious links URL to update headers which contains the email addresses of the intended recipients. The link to be redirected to is embedded in the Update the response header.
The starting point of the infection chain is an email containing a link that impersonates a legitimate or compromised domain, which when clicked triggers a redirect to a credential collection page controlled by the actor.
To give the phishing attempt the appearance of legitimacy, recipient email addresses are pre-populated on the malicious webmail’s login pages. Attackers have also been observed using legitimate domains that offer URL shortening, tracking and marketing campaigns services.
“By carefully mimicking legitimate domains and redirecting victims to official sites, attackers can effectively mask their true targets and increase the likelihood of successful credential theft,” the researchers said.
“These tactics highlight the sophisticated strategies attackers use to avoid detection and exploit unsuspecting targets.”
Phishing and Business Email Compromise (BEC) continue to be a known avenue for adversaries seeking to obtain information and launch financially motivated attacks.
BEC attacks cost the US and international organizations estimated at $55.49 billion between October 2013 and December 2023, according to the US Federal Bureau of Investigation (FBI), over 305,000 cases of fraud were reported during the same period.
The development comes amid “dozens of scam companies” that have used deepfake videos featuring public figures, CEOs, news anchors and top government officials to promote fake investment schemes like Quantum AI since at least July 2023.
These campaigns are spread through messages and ads on various social media platforms, directing users to fake web pages offering to fill out a registration form, after which the scammer contacts them via phone call and asks them to pay an initial fee of US$250 for access to the service.
“The scammer instructs the victim to download a special app so she can ‘invest’ more of her funds,” Unit 42 researchers said. “The app’s dashboard shows small gains.”
“Finally, when the victim tries to withdraw their funds, the scammers either demand a withdrawal fee or cite some other reason (such as tax issues) why they cannot get their funds back.
“The scammers can then block the victim from their account and pocket the remaining funds, causing the victim to lose most of the money they put into the ‘platform’.”
It also follows the discovery of a hidden threat actor posing as a legitimate business and promoting automated CAPTCHA solving services at scale to other cybercriminals and helping them infiltrate IT networks.
Dubbed Greasy Opal, Arkose Labs alleges that the Czech-based cyber security firm has been operating since 2009 and offers its customers a unique set of tools for credential stuffing, mass creation of fake accounts, browser automation and spamming. in social networks. priced at $190 and an additional $10 for a monthly subscription.
The product portfolio covers the spectrum of cybercrimes, allowing them to develop a sophisticated business model by combining multiple services. Only in 2023, the revenue of the organization will be at least 1.7 million dollars.
“Greasy Opal uses advanced OCR technology to efficiently analyze and interpret text-based CAPTCHAs, even those distorted or obscured by noise, rotation, or occlusion,” the fraud prevention company said. noted in a recent analysis. “The service develops machine learning algorithms trained on vast image datasets.”
One of its users Bura-1152a Vietnamese cybercriminal group previously identified by Microsoft as selling 750 million fraudulent Microsoft accounts and tools through a network of fake websites and social media pages to other criminal entities.
“Greasy Opal has built a thriving multi-faceted conglomerate, offering not only CAPTCHA-solving services, but also SEO-enhancing software and social media automation services, which are often used to send spam, which can be a precursor to malware delivery,” Arkose. Labs said.
“This group of threat actors reflects a growing trend of businesses operating in the gray area, while its products and services are used for illicit activities further down the line.”
