Palo Alto's Unit 42 threat intel team wants to draw the security industry's attention to an increasingly common tactic used by phishers to harvest victims' credentials.

The infocseccers say they'd spotted miscreants abusing refresh entries in HTTP headers to the tune of circa 2,000 large-scale phishing campaigns between May and July this year, although the practice has been observed throughout the year.

Embedding malicious URLs in a web page's response header, in this case, means visitors to the web pages are automatically redirected to malicious ones. Once this is accomplished, attackers will typically spoof the login pages of well-known vendors to steal the user's passwords.

The attack starts out like any other phishing-based incident. An email is sent to a target containing a link that typically mimics a legitimate or compromised domain, making the job of spotting one more difficult.

Should a user click that link (failure number one), they'll be directed to one page which the attacker has already instructed to redirect to another after a period of, say, a few seconds - although it could be done immediately too.

Because the refresh field was populated with the code that redirects visitors to alternative URLs, this process is not only executed automatically against the user's will, but also before the initial web page is even loaded, since the response header is handled before HTML content loads.

"The original and landing URLs are often found under legitimate or compromised domains and hosts, a technique that's often effective in concealing malicious URL strings," said Unit 42's Yu Zhang, Zeyu You, and Wei Wang in a statement.

"Additionally, attackers frequently use legitimate domains that offer URL shortening, tracking, or campaign marketing services."

By adding deep linking into the fray, the criminals allow the malicious form to partially pre-load with the user's details, and taken together, these tactics tee up an attack for greater success, the researchers believe.

Of course, this needs to be packaged up into a convincing initial email, which - if one examines some of the examples Unit 42 used in their writeups - aren't too common here. You'd expect an organization's email provider to push emails with three successive exclamation marks straight into the spam folder, for example. Yet apparently that's not always the case!!!

(Some of the other examples Unit 42 used in its report appeared to be more professionally composed.)

Organizations in the business and economy sector are most likely to be targeted, with 36.2 percent of all attempts focusing on this corner of industry, according to the report. 

Unit 42's catch-all "Other Industries" category came in second with 32.9 percent of these attempts and financial services was next with a 12.9 percent share of the attacks. Government, healthcare, and tech came in behind them, each with small shares.

"In our research, we found no legitimate websites exhibiting this behavior," the report says. "Although the refresh header can be useful in specific situations like dynamically updating websites, we more commonly see other methods such as JavaScript-based techniques or server-side push technologies like WebSockets.

"Ultimately, organizations should be more aware of the potential for malicious use of HTTP refresh headers."

According to the FBI's Internet Crime Complaint Center's (IC3) most recent annual report [PDF], phishing remains the most common form of cybercrime by a huge distance, despite some slight, consistent decline since 2021 with roughly 300,000 cases reported last year. That's just in the US and only the ones people spotted and bothered to report.

Phishing is often used in business email compromise (BEC) schemes, which according to that same FBI report led to annual losses exceeding $2.9 billion in 2023.

With money like that on the line and the clear potential for success criminals have with phishing, it's no wonder they'll adopt increasingly sophisticated tricks to keep deceiving end users. ®

https://www.theregister.com//2024/09/12/http_headers/