Threat Research

Phishing Pages Delivered via HTTP Refresh Header

Unit42

Unit 42 highlights a surge in 2024 phishing campaigns that rely on HTTP response header refresh to automatically redirect victims, often using personalized details and spoofed login pages. These campaigns target financial services, government, and education sectors, with defenses like Palo Alto Networks’ Advanced URL Filtering helping to detect and mitigate the threat. #Unit42 #PaloAltoNetworks #DocuSign #Outlook #Office365 #FinancialServices #Government #EducationalInstitutions

Keypoints

  • In 2024, large-scale phishing campaigns averaged about 2,000 malicious URLs per day (May–July findings).
  • Phishing relies on HTTP response header refresh to auto-redirect victims without user interaction.
  • Emails spoof legitimate webmail login pages and embed recipients’ email addresses to personalize attacks.
  • Target sectors include financial services, government, and educational institutions.
  • Attackers use legitimate or compromised domains to conceal malicious URLs, including URL shortening and deep linking.
  • Palo Alto Networks’ Advanced URL Filtering aids in identifying and mitigating these phishing threats.

MITRE Techniques

  • [T1566.002] Spearphishing Link – Emails with malicious URLs that redirect users to phishing pages. ‘Attackers send emails with malicious URLs that redirect users to phishing pages.’
  • [T1003] Credential Dumping – Phishing pages mimic legitimate login forms to capture user credentials. ‘Phishing pages mimic legitimate login forms to capture user credentials.’
  • [T1203] Exploitation of Vulnerability – Using HTTP response header refresh to exploit browser behavior for phishing. ‘Using HTTP response header refresh to exploit browser behavior for phishing.’

Indicators of Compromise

  • [Domain] Phishing-related domains observed in campaigns – impactchd.in, hk6.8ik8rq.ru, and 2 more domains (e.g., dominicanmidia.com, sirius-maritime.com)
  • [IP] 195.19.93.5 – source IP used in a campaign with spoofed sender addresses
  • [URL] Original and final redirect URLs – hxxp[:]//impactchd[.]in/content/bing/ghjkj/1kdeyl61ahaub/, hxxps[:]//hk6.8ik8rq[.]ru/hk6/#

Read more: https://unit42.paloaltonetworks.com/rare-phishing-page-delivery-header-refresh/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint