Analysis Summary

Cybersecurity experts have issued a warning over persistent phishing campaigns that exploit HTTP header refresh entries to provide counterfeit email login pages intended to collect user credentials.

These attacks exploit the response header delivered by a server, which happens before the HTML text is processed, in contrast to other phishing webpage distribution behavior through HTML content. When a user clicks on a malicious link, the browser is instructed to automatically refresh or reload a webpage. Large South Korean corporations, government organizations, and American schools are among the targets of the extensive activity, which was seen between May and July 2024. Up to 2,000 malicious URLs have been linked to the campaigns.

The business and economy sector has been targeted for almost 36% of the attacks, with financial services (12.9%), government (6.9%), health and medical (5.7%), and computers and the internet (5.4%) coming in second and third, respectively. Using popular top-level domains (TLDs) and domain names to spread phishing and redirection attacks are just a few of the many strategies threat actors have used to hide their true intentions and fool email recipients into divulging sensitive information.

The distribution of malicious links using header refresh URLs that contain the email addresses of targeted recipients is a defining feature of the infection chains. The Refresh response header contains the link that needs to be redirected. The email message that starts the infection chain has a link that seems to be from a trusted or compromised domain. Clicking on the link directs the user to the actor-controlled credential harvesting page.

Attackers have also been seen exploiting genuine sites that provide URL shortening, tracking, and campaign marketing services. The malicious webmail login pages appear legitimate since the receivers' email addresses are pre-filled. The researchers said that attackers can easily hide their true intentions and raise the possibility of successful credential theft by meticulously replicating reputable domains and rerouting victims to official sites. These methods demonstrate the high-tech approaches attackers employ to elude discovery and take advantage of gullible victims.

Business email compromise (BEC) and phishing remain popular avenues for attackers seeking to steal data and launch financially motivated assaults. According to the U.S. Federal Bureau of Investigation (FBI), between October 2013 and December 2023, BEC attacks are estimated to have cost U.S. and foreign organizations $55.49 billion. During the same period, over 305,000 scam instances were reported.

Impact

• Credential Theft
• Sensitive Data Theft
• Identity Theft
• Financial Loss

Indicators of Compromise

URL

• http://tracker.club-os.com/campaign/click?utp=consumer&&msgId=d738c6bd137e6a03157c6c728cbc659e734fc398&test=false&target=plantaspurificadoras.com/.sbud/tlkruonajo/fgdshajtrdhss/bc1qtgum47lrgswtds/
• http://tracker.club-os.com/campaign/click?msgId=f8ea317d963149a518aa35e03e5541f797badf3c&target=splendidanimations.com/
• http://tracker.club-os.com/campaign/click?msgId=40CHAR&target=babasturizm.com/costin/nymb/coartst/aouth/
• http://tracker.club-os.com/campaign/click?msgId=f8ea317d963149a518aa35e03e5541f797badf3c&target=revistaegle.com/revistaegle/revistaegle/
• http://walmart.onelink.me/UIev?pid=Email&c=W-FY18Q4-Email-BTH-O-DG-General-AppDLFooter-BOTH-NA-NA&af_dp=walmart://home&af_web_dp=https://produkte-testen.com/hfYEH73/smie-ejnf839921JUHDhs/18080Wirtgen-Group291tjelgd/
• http://tracker.club-os.com/campaign/click?msgId=f8ea317d963149a518aa35e03e5541f797badf3c&target=https://remoinmobiliaria.com/.sbud/Kercus/
• http://speedpython.com/wp-includez/adminaccess/cgi-ins/hcsfedsukygfrhi/index.php

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting only to allow approved software to run on systems, reducing the risk of executing unauthorized applications.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.