Palo Alto’s Unit 42 threat intel team has identified a growing trend in large-scale phishing attacks that utilize the HTTP refresh header to redirect victims to malicious websites. Between May and July this year, researchers spotted over 2,000 such campaigns.
The tactic works by embedding malicious URLs in a webpage’s response header, which automatically redirects visitors to alternative websites. Attackers then typically spoof the login pages of well-known vendors to steal users’ passwords. The attack begins with an email containing a link that mimics a legitimate or compromised domain, making it difficult to spot.
When a user clicks the link, they are directed to one page that immediately redirects them to another after a few seconds. The refresh header populates the malicious URL, allowing the redirect to occur before the initial webpage is even loaded.
Researchers believe this tactic allows attackers to partially pre-load forms with users’ details, setting up an attack for greater success. To make matters worse, organizations in the business and economy sector are most likely to be targeted, accounting for 36.2% of all attempts.
The report also highlights the need for increased awareness among organizations, as this tactic can be used to steal credentials. Phishing remains the most common form of cybercrime, with over 300,000 reported cases in the US alone last year. With annual losses exceeding $2.9 billion due to BEC schemes, it’s no wonder phishers are adopting increasingly sophisticated tricks to keep deceiving end users.
Source: https://www.theregister.com/2024/09/12/http_headers/