A sophisticated phishing campaign is currently targeting organisations in South Korea and the United States, exploiting a clever technique to steal user credentials. This attack poses a significant risk to businesses, particularly those in the finance, government, and healthcare sectors.
What Business Owners Need to Know
The attackers are using a method called “HTTP header refresh abuse” to redirect users to fake login pages. This technique is particularly dangerous because:
- It bypasses many traditional security measures
- It can be difficult for users to detect
- It targets high-value sectors like business, finance, and government
“Unlike other phishing webpage distribution behaviour through HTML content, these attacks use the response header sent by a server, which occurs before the processing of the HTML content,” explain researchers from Palo Alto Networks Unit 42.
Industries at Risk
| Sector | Percentage of Attacks |
|---|---|
| Business and Economy | 36% |
| Financial Services | 12.9% |
| Government Agencies | 6.9% |
| Healthcare | 5.7% |
| Technology Companies | 5.4% |
Protecting Your Business
To safeguard your organisation against this and similar threats:
- Implement Strong Email Filtering:
- Use advanced email security solutions to detect and block phishing attempts.
- Consider implementing DMARC, SPF, and DKIM protocols to verify email authenticity.
- Regularly update and maintain your email filtering rules to adapt to new threats.
- Educate Employees:
- Conduct regular cybersecurity awareness training sessions.
- Teach staff to recognise phishing tactics and verify suspicious links.
- Implement a clear process for reporting suspected phishing attempts.
- Consider running simulated phishing campaigns to test and reinforce training.
- Use Multi-Factor Authentication (MFA):
- Implement MFA across all business applications, especially email and financial systems.
- Consider using hardware tokens or authenticator apps rather than SMS-based MFA.
- Regularly review and update MFA policies to ensure they align with current best practices.
- Keep Systems Updated:
- Establish a robust patch management process for all software and systems.
- Prioritise updates for internet-facing systems and those handling sensitive data.
- Consider using automated patch management tools to ensure timely updates.
- Monitor for Suspicious Activity:
- Implement a Security Information and Event Management (SIEM) system.
- Set up alerts for unusual login attempts, data access patterns, or network activity.
- Regularly review and analyse logs from critical systems.
- Consider engaging a managed security service provider for 24/7 monitoring.
- Implement Network Segmentation:
- Separate critical systems and data from the general network.
- Use firewalls and access controls to limit lateral movement within the network.
- Develop an Incident Response Plan:
- Create and regularly test a comprehensive plan for responding to security incidents.
- Ensure all key stakeholders understand their roles in the event of a breach.
How the Attack Works
Malicious Email:
Users receive an email with a seemingly legitimate link. These emails often mimic trusted sources such as corporate communications, financial institutions, or popular services.
Hidden Redirect:
When a user clicks the link, it triggers a hidden redirect using HTTP headers. This redirect is not visible to the user and happens before any page content is loaded.
Abuse of HTTP Headers:
The attack exploits the ‘Refresh’ HTTP header or equivalent HTML meta tag. For example:
Refresh: 0;url=https://malicious-site.com/[email protected]This forces an immediate redirect to the phishing site, often including the victim’s email to make the fake login page more convincing.
Fake Login Page:
Users are taken to a convincing fake login page. These pages are often exact replicas of legitimate login pages, complete with logos, colour schemes, and layout.
Pre-filled Information:
To increase credibility, the fake login page often pre-fills the user’s email address, making it appear as though they’re already logged in to a legitimate service.
Credential Theft:
If users enter their credentials, the attackers capture this information. They may then use these stolen credentials to access the real accounts or sell them on the dark web.
Post-Theft Redirection:
After stealing the credentials, the attack may redirect users to the legitimate site to avoid raising suspicion.
The Broader Threat Landscape
This campaign is part of a larger trend in cybercrime. The FBI reports that Business Email Compromise (BEC) attacks have cost organisations an estimated $55.49 billion between 2013 and 2023.
Additionally, cybercriminals are increasingly using advanced techniques like deepfake videos to promote fraudulent investment schemes, highlighting the need for constant vigilance and employee education.
Technical Details for IT Teams
For those managing IT security, here’s a brief overview of the technical aspects:
Refresh: 0;url=https://malicious-site.com/[email protected]This HTTP header forces an immediate redirect to the phishing site, often including the victim’s email to make the fake login page more convincing.
“Malicious links direct the browser to automatically refresh or reload a web page immediately, without requiring user interaction.”
IT teams should be on the lookout for unexpected redirects, especially those using HTTP headers or meta refresh tags. Consider implementing content security policies (CSP) and regularly auditing outbound network traffic for anomalies.
Conclusion
This phishing campaign represents a significant threat to businesses and organisations. By understanding the tactics used and implementing strong security measures, companies can better protect themselves against these sophisticated attacks.
Constant vigilance, employee education, and up-to-date security systems are key to maintaining your organisation’s digital safety. Remember, cybersecurity is an ongoing process, not a one-time implementation. Regular reviews and updates of your security posture are essential in the face of evolving threats.