Today > | 1 Medium vulnerabilities   -   You can now download lists of IOCs here!

Phishing Pages Delivered Through Refresh HTTP Response Header

Sept. 18, 2024, 9 a.m.

Description

Unit 42 researchers observed large-scale phishing campaigns in 2024 using a refresh entry in the HTTP response header. This technique, unlike traditional HTML-based phishing, occurs before HTML content processing and automatically refreshes webpages without user interaction. Attackers distribute malicious URLs via emails, targeting global financial sector, internet portals, and government domains. The attacks use personalized approaches, embedding recipients' email addresses and displaying spoofed webmail login pages. From May to July, around 2,000 malicious URLs were detected daily. The campaigns predominantly targeted the business-and-economy sector, financial services, and government institutions. This sophisticated method makes it difficult to identify malicious indicators within URL strings and increases the likelihood of successful credential theft.

Date

Published: Sept. 18, 2024, 8:35 a.m.

Created: Sept. 18, 2024, 8:35 a.m.

Modified: Sept. 18, 2024, 9 a.m.

Indicators

195.19.93.5

2127394249@businessimageprint.com

hk6.8ik8rq.ru

speedpython.com

sirius-maritime.com

guide-orientation.tn

dominicanmidia.com

Attack Patterns

T1193

T1192

T1098

T1204

T1566

T1078

Additional Informations

Technology

Education

Finance

Government

Korea, Democratic People's Republic of

Korea, Republic of

United States of America