Phishing Pages Delivered Through Refresh HTTP Response Header
Sept. 18, 2024, 9 a.m.
Tags
External References
Description
Unit 42 researchers observed large-scale phishing campaigns in 2024 using a refresh entry in the HTTP response header. This technique, unlike traditional HTML-based phishing, occurs before HTML content processing and automatically refreshes webpages without user interaction. Attackers distribute malicious URLs via emails, targeting global financial sector, internet portals, and government domains. The attacks use personalized approaches, embedding recipients' email addresses and displaying spoofed webmail login pages. From May to July, around 2,000 malicious URLs were detected daily. The campaigns predominantly targeted the business-and-economy sector, financial services, and government institutions. This sophisticated method makes it difficult to identify malicious indicators within URL strings and increases the likelihood of successful credential theft.
Date
Published: Sept. 18, 2024, 8:35 a.m.
Created: Sept. 18, 2024, 8:35 a.m.
Modified: Sept. 18, 2024, 9 a.m.
Indicators
195.19.93.5
2127394249@businessimageprint.com
hk6.8ik8rq.ru
speedpython.com
sirius-maritime.com
guide-orientation.tn
dominicanmidia.com
Attack Patterns
T1193
T1192
T1098
T1204
T1566
T1078
Additional Informations
Technology
Education
Finance
Government
Korea, Democratic People's Republic of
Korea, Republic of
United States of America