A new type of phishing attack is deceiving users into giving up sensitive login credentials. Researchers from Palo Alto Networks’ Unit 42 have found these phishing campaigns that use refresh entries in HTTP response headers to automatically redirect users to attacker-controlled pages, without requiring any user interaction. This technique has targeted employees in sectors such as finance, government, and education throughout 2024.
How the HTTP Refresh Header Technique Works
Phishing attacks have changed in recent years, with attackers now exploiting creative methods to strike on traditional security mechanisms. One technique involves manipulating HTTP response headers to perform automatic redirects. This type of phishing attack takes place even before the HTML content of a webpage is processed. When a user clicks on a link, the browser loads the webpage and processes the HTML content. With this header refresh technique, the browser is instructed by the server to automatically refresh or reload a webpage via the refresh entry in the HTTP response header, sending the victim to a malicious site without their knowledge. The process happens so quickly that users may not realize they’ve been redirected to an illegitimate page. The URLs involved in these attacks are embedded within phishing emails, where the original and landing URLs look legitimate or belong to compromised domains, making it difficult for users to identify potential threats. Attackers may also use legitimate services that offer URL shortening or tracking to disguise the malicious intent further.
Personalization of Phishing Attacks
What makes these phishing attacks more dangerous than others, is the level of personalization they involve. Attackers use URL parameters to pre-fill login forms with the victim’s email address or other personal information. This customization increases the credibility of the phishing page, making it more likely that victims will fall for the scam. When a targeted user clicks on a phishing link, they may see a webmail login page resembling a legitimate service such as Microsoft Outlook or Gmail, already pre-filled with their own email address. This approach brings a false sense of legitimacy, leading victims to enter their password or other sensitive credentials. Attackers have implemented dynamic content generation techniques, such as deep linking, to craft these tailored phishing attempts. By using parameters embedded in the URL, attackers make the phishing form look like it’s meant for the recipient, increasing the likelihood of successful credential theft.
Targeted Industries and Global Scale
Unit 42’s research shows that these phishing campaigns have targeted various industries and sectors, with over 2,000 malicious URLs detected daily between May and July 2024. The business and economy sectors were hit the hardest, accounting for 36% of detected attacks. Financial services, government agencies, and educational institutions were also heavily targeted.The phishing emails typically originate from spoofed sender addresses, and the malicious links are embedded within the email content. Once clicked, the email recipient is redirected to a phishing page hosted on a domain that appears legitimate at first glance, making it challenging to detect the attack without cybersecurity measures in place. The phishing campaigns have also used tactics, such as utilzing compromised legitimate domains or services that provide URL shortening and tracking, to avoid detection. These tactics are part of the strategy to obscure the attacker’s true intent and deceive the victim into revealing their credentials.
Examples of Phishing Campaigns
An example of a phishing attack using the HTTP refresh header method was observed in July 2024. A phishing email sent to employees of a large financial institution contained a link to what appeared to be a legitimate webmail login page. Once the link was clicked, the victim was automatically redirected to a phishing page that closely mimicked the official login portal, with their email address already pre-filled in the login field. These attacks are widespread, and Unit 42 researchers observed large-scale phishing campaigns affecting corporations and government agencies across multiple countries. One campaign which targeted users in Korea and the U.S., used emails with the subject line “Complete with DocuSign: ACH/EFT FORM.” The emails were designed to trick users into clicking links that redirected them to phishing pages, where their login credentials could be harvested.
Phishing attacks that use HTTP response headers are a modern representation of how attackers can manipulate web traffic to steal information. By using these tactics with legitimate domains to hide their malicious intent, these campaigns can deceive unsuspecting victims. Organizations in finance, government, and education, should implement strong cybersecurity measures such as URL filtering to detect and block these malicious redirects. Advanced URL Filtering measures, such as those provided by Palo Alto Networks, can help detect suspicious URLs and prevent unauthorized access to information. If you believe your organization has been compromised by one of these phishing attacks, contacting an incident response team is important, to lessen potential damage and prevent incidents.
Photo credits: janews094, AdobeStock