Cybercriminals have developed a clever new phishing technique that uses the “Refresh” header in HTTP responds to redirect unaware victims to malicious sites. Security experts at Unit 42, a division of Palo Alto Networks, have revealed this sophisticated attack method.
Researchers from Unit 42 discovered numerous significant phishing attacks in 2024 that exploited an HTTP response header refresh entry. Approximately 2,000 malicious URLs connected to these attempts were identified daily between May and July.
Phishing attackers often conceal their true objectives and deceive their victims by using easily accessible tools and strategies. In addition to carefully crafting email subjects intended to mislead recipients, the observed campaigns employed header refresh strategies that included phishing URLs.
According to Yu Zhang, Zeyu You, and Wei Wang, researchers at Palo Alto Networks Unit 42:
Unlike other phishing webpage distribution behaviour through HTML content, these attacks use the response header sent by a server, which occurs before the processing of the HTML content. Malicious links direct the browser to automatically refresh or reload a web page immediately, without requiring user interaction.
Spam links can take over browsers by inserting a user’s email address into the HTTP response header’s refresh field. Attackers can steal credentials covertly by impersonating trustworthy websites and rerouting victims. These techniques highlight the complexity of current cyberattacks.
Cybercriminals frequently disguise harmful URLs under reputable or compromised domains and servers. This approach is effective for obscuring malicious strings in the URL. Additionally, cybercriminals exploit legitimate services like monitoring, campaign marketing, and URL shortening.
Another popular technique is deep linking, in which attackers generate content that looks customised for the target on the spot. By inserting parameters in the URL, fraudsters can pre-fill form fields, making the phishing attempt more convincing.
This strategy needs minimal effort while effectively hiding the risky components, raising the chance of misleading the target.
How Email Login Spoofs Affect Header Phishing Techniques
Attackers often use malicious URLs to deceive targets and obtain login credentials. These URLs typically lead to a fake email login page that is pre-configured with the victim’s sensitive information, including their email address.
Attackers send the malicious links using HTTP header refresh URLs that incorporate the recipient’s email address. When the victim clicks on the link, the final website opens automatically, displaying malicious content consistent with the email domain.
Attackers trying to steal confidential data or carry out financially motivated schemes are still very much in risk from phishing and business email compromise (BEC).
The U.S. Federal Bureau of Investigation (FBI) reports that between October 2013 and December 2023, BEC attacks cost organisations in the U.S. and throughout the world an estimated $55.49 billion. During that time, over 305,000 incidents were recorded.
A stealthy threat actor, posing as a legitimate company was identified supplying automated CAPTCHA-solving services to cybercriminals, allowing them to target IT networks. Founded in 2009, this cybercrime company, dubbed “Greasy Opal” by Arkose Labs, operates out of the Czech Republic.
For social media spam, browser automation, bulk creation of bogus accounts, and credential stuffing, it offers a toolkit. These services cost $190 upfront, with an optional monthly membership of $10.
Hackers can exploit minor details, such as the Refresh header, to attack your business. Recognising these vulnerabilities is essential for securing your company. Understanding how cybercriminals can take advantage of small details like the Refresh header will better position you to protect your organisation.
It is important to assess security procedures on a regular basis, train your employees, and remain cautious. Effective cybersecurity requires not only robust tools but also a daily commitment to awareness and safe practices. To help your staff identify suspicious emails and links before clicking, organise frequent phishing simulations and offer continuing training.
Phishing attacks are on the rise, and it is important to protect your organisation. One effective way to do this is by increasing user awareness about these types of attacks. Phishing Tackle is a great resource that can help you in this regard. They offer a free 14-day trial to help train your users to recognise and avoid phishing attacks.
