Cybersecurity researchers have warned of ongoing phishing campaigns that abuse refresh entries in HTTP headers to deliver spoofed email login pages designed to harvest users' credentials. Unlike other phishing webpage distribution behavior through HTML content, these attacks use the response header sent by a server, which occurs before the processing of the HTML content. Malicious links direct the browser to automatically refresh or reload a web page immediately without requiring user interaction.
The large-scale activity, observed between May and July 2024, targeted large corporations in South Korea, government agencies, and schools in the US. As many as 2,000 malicious URLs have been associated with the campaigns. Over 36% of the attacks targeted the business and economy sector, followed by financial services (12.9%), government (6.9%), health and medicine (5.7%), and computer and internet (5.4%).
The attacks are the latest in a long list of tactics that threat actors have employed to obfuscate their intent and trick email recipients into parting with sensitive information, including taking advantage of trending top-level domains (TLDs) and domain names to propagate phishing and redirection attacks. The infection chains are characterized by delivering malicious links through header refresh URLs containing targeted recipients' email addresses. The link to which to be redirected is embedded in the Refresh response header.
The starting point of the infection chain is an email message containing a link that mimics a legitimate or compromised domain that, when clicked, triggers the redirection to the actor-controlled credential harvesting page. To lend the phishing attempt a veneer of legitimacy, the malicious webmail login pages have the recipients' email addresses pre-filled. Attackers have also been observed using legitimate domains that offer URL shortening, tracking, and campaign marketing services. "By carefully mimicking legitimate domains and redirecting victims to official sites, attackers can effectively mask their true objectives and increase the likelihood of successful credential theft. These tactics highlight the sophisticated strategies attackers use to avoid detection and exploit unsuspecting targets," the researchers said.
Phishing and business email compromise (BEC) are prominent pathways for adversaries looking to siphon information and perform financially motivated attacks. According to the US Federal Bureau of Investigation (FBI), BEC attacks cost US and international organizations an estimated $55.49 billion between October 2013 and December 2023, with over 305,000 scam incidents reported during the same period.
The development comes amid "dozens of scam campaigns" that have leveraged deepfake videos featuring public figures, CEOs, news anchors, and top government officials to promote bogus investment schemes such as Quantum AI since at least July 2023.
These campaigns are spread via posts and ads on various social media platforms, directing users to phony web pages that prompt them to fill out a form to sign up. After that, a scammer contacts them via phone and asks them to pay an initial fee of $250 to access the service. The scammer instructs the victim to download a special app so that they can 'invest' more of their funds. Within the app, a dashboard appears to show small profits.
Finally, when the victim tries to withdraw their funds, the scammers either demand withdrawal fees or cite some other reason (e.g., tax issues) for being unable to get their funds back. The scammers may then lock the victim out of their account and pocket the remaining funds, causing the victim to lose most of the money they put into the 'platform’.
It also follows the discovery of a stealthy threat actor that presents itself as a legitimate enterprise and has been advertising automated CAPTCHA-solving services at scale to other cybercriminals and helping them infiltrate IT networks.
Named Greasy Opal by Arkose Labs, the Czech Republic-based "cyber-attack enablement business" is believed to have been operational since 2009, offering customers a toolkit of sorts for credential stuffing, mass fake account creation, browser automation, and social media spam at a price point of $190 and an additional $10 for a monthly subscription. The product portfolio runs the cybercrime gamut, allowing them to develop a sophisticated business model by packaging several services. The entity's revenues for 2023 alone are said to be no less than $1.7 million.
Greasy Opal employs cutting-edge OCR technology to analyze and interpret text-based CAPTCHAs, even those distorted or obscured by noise, rotation, or occlusion. The service develops machine-learning algorithms trained on extensive image datasets.
One of its users is Storm-1152, a Vietnamese cybercrime group previously identified by Microsoft as selling 750 million fraudulent Microsoft accounts and tools through bogus websites and social media pages to other criminal actors.
See: https://redskyalliance.org/xindustry/microsoft-disrupts-cybercrime-service
"Greasy Opal has built a thriving conglomerate of multi-faceted businesses, offering not only CAPTCHA-solving services but also SEO-boosting software and social media automation services that are often used for spam, which could be a precursor for malware delivery," Arkose Labs said. "This threat actor group reflects a growing trend of businesses operating in a gray zone, while its products and services have been used for illegal activities downstream."
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
Comments