With rapid advancements in technology, threat actor attack methodologies are now evolving at an unprecedented pace. Cybersecurity experts have recently warned of online HTTP headers phishing campaigns that are being launched to steal credentials. In this article, we’ll take a detailed look at these credential harvesting attacks and uncover tools being used. Let’s begin! 

Details Of The HTTP Headers Phishing Campaigns

As per recent media reports, these HTTP Headers phishing campaigns rely on the use of refresh entries for delivering spoofed email login pages. These login pages are designed by threat actors and facilitate the unauthorized acquisition of user credentials. 

Cyber security experts that include Palo Alto Networks Unit 42 researchers Yu Zhang, Zeyu You, and Wei Wang, have provided insights pertaining to these attacks. The experts believe that: 

“Unlike other phishing webpage distribution behavior through HTML content, these attacks use the response header sent by a server, which occurs before the processing of the HTML content. Malicious links direct the browser to automatically refresh or reload a web page immediately, without requiring user interaction.”

Targets Of The Credential Harvesting Attacks

These HTTP headers phishing campaigns were observed to be active in May and July 2024. Threat actors behind these attacks mainly targeted corporations in South Korea and government agencies and schools in the United States (US). A more detailed breakdown of the sectors that were targeted is given below: 

HTTP Header Phishing Attack Technique 

The attack methodology used in these HTTP headers phishing campaigns is considered to be one of the latest among many others that threat actors use. Such a technique helps them mask their intentions, thereby allowing them to trick victims for the acquisition of login credentials. 

In addition, this phishing attack technique is also inline with the trending top-level domains (TLDs) being leveraged for phishing attacks. The infection chain for these attacks starts off with delivering malicious links via header refresh URLs. It’s worth mentioning that these links contain email addresses of targeted victims. 

Threat actors send email messages that link to a compromised domain that appears to be legitimate. When the targeted victims click on the malicious link, they are redirected to a hacker-controlled page used for credential harvesting. The HTTP headers phishing campaigns threat actors also work to add layers of legitimacy to the malicious page. 

Such legitimacy is added using different methods, such as having the victim’s email address pre-filled on the page. In addition, they can also use legitimate domains that offer URL shortening or tracking techniques. Commenting on how advanced such tactics are, cybersecurity experts have stated that:  

“These tactics highlight the sophisticated strategies attackers use to avoid detection and exploit unsuspecting targets.”

Conclusion

These HTTP headers phishing campaigns showcase the evolving tactics of cybercriminals to steal credentials. By leveraging advanced techniques like header refresh and legitimate-looking domains, attackers effectively deceive users. It’s crucial for organizations and individuals to stay vigilant and adopt robust cybersecurity measures to prevent falling victim to such threats. 

The sources for this piece include articles in The Hacker News and Unit 42.

The post HTTP Headers Phishing Campaigns Used For Credential Theft   appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/http-headers-phishing-campaigns-used-for-credential-theft/