Threat actors have exploited HTTP header refresh entries to deploy fraudulent credential harvesting email login pages as part of far-reaching phishing campaigns between May and July, which primarily targeted the business and economy sector, The Hacker News reports.
U.S. government agencies and schools, as well as major South Korean corporations have also been subjected to the intrusions, which commenced with the distribution of header refresh URLs with the recipients' email addresses that would redirect to the webpage harvesting targets' credentials, an analysis from Palo Alto Networks Unit 42 revealed.
Aside from already pre-filling recipients' email addresses on the fake login page, attackers have also sought to establish the legitimacy of the operation through domains supporting URL tracking, shortening, and campaign marketing.
"By carefully mimicking legitimate domains and redirecting victims to official sites, attackers can effectively mask their true objectives and increase the likelihood of successful credential theft. These tactics highlight the sophisticated strategies attackers use to avoid detection and exploit unsuspecting targets," said researchers.