Cybercriminals Leverage HTTP Headers in Large-Scale Phishing Campaigns for Credential Theft

Cybersecurity researchers have flagged an ongoing phishing campaign that exploits refresh entries in HTTP headers to deliver fake email login pages aimed at stealing user credentials. Unlike traditional phishing attacks that rely on HTML content, these attacks leverage the server’s response headers to automatically redirect browsers to malicious web pages without user interaction.

Targets between May and July 2024 included large corporations in South Korea, along with U.S. government agencies and schools, with over 2,000 malicious URLs linked to the campaign. The business and economy sector was most affected, making up 36% of the attacks, followed by financial services (12.9%), government (6.9%), health and medicine (5.7%), and tech sectors (5.4%).

Phishing emails contain malicious links that lead users to a credential-harvesting page, often using legitimate-looking domains or URL-shortening services to appear trustworthy. Attackers pre-fill victims’ email addresses on fake login pages to increase the chances of credential theft.

This phishing campaign adds to the rising trend of sophisticated cyber-attacks, including Business Email Compromise (BEC), which has resulted in $55.49 billion in global losses since 2013. In parallel, deepfake scams and CAPTCHA-bypassing services offered by threat actors like Greasy Opal, a Czech-based group, are becoming more prevalent. Greasy Opal, operational since 2009, aids cybercriminals by offering credential-stuffing, fake account creation, and CAPTCHA-solving tools, earning $1.7 million in 2023 alone.

These evolving tactics underscore the growing sophistication of cybercrime, making it essential for organizations to bolster defenses against phishing and related threats.

Share this post :