Recent Phishing Campaigns Using HTTP Refresh Headers

    Monday, July 29, 2024 In: Threat Research Print

    Date: 07/16/2024

    Severity: High

    Summary

    URLs in phishing campaigns sometimes produce HTTP refresh headers, redirecting to phishing pages.This tactic is often employed to assist initial links in phishing emails by bypassing filters designed to detect malicious content. These infection chains have a brief lifespan because, typically, only one link in the sequence of events is swiftly blocked or removed from online access.

    Indicators of Compromise (IOC) List

    URL/Domain

    https://guide-orientation.tn/go_page.php?href=https://4cut.pl//fancybox/top/

    https://4cut.pl//fancybox/top/

    https://cf-ipfs.com/ipfs/bafkreicbn4xgfxajydu6jbz2b5b5mijjnfskkns7uufaat5fao3tjddadi

    https://guide-orientation.tn/go_page.php?href=https://atmmahmud.com/kgh/

    https://atmmahmud.com/kgh/

    https://cf-ipfs.com/ipfs/bafkreic7intzjnj746hcrgdbvs6xeg6tzdr2nen5jupl3nnpg7lucql4qy

    https://ipfs.io/ipfs/bafkreic7intzjnj746hcrgdbvs6xeg6tzdr2nen5jupl3nnpg7lucql4qy

    https://vf.qen12.za.com/.well-known/acme-challenge//r-xcut.php

    https://guide-orientation.tn/go_page.php?href=https://fe.xrqo8.ru.com/.well-known/acme-challenge/

    https://fe.xrqo8.ru.com/.well-known/acme-challenge/

    https://cf-ipfs.com/ipfs/bafkreicj32yprjitxoyrmoxqcknj2xohjinvl5zcy6bnandbuggdki3bxu

    https://mldproltd.com/img/slim/r-xcut.php

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    URL/Domain

    userdomainname IN (“guide-orientation.tn” , “4cut.pl” , “cf-ipfs.com” , “atmmahmud.com” , “ipfs.io” , “vf.qen12.za.com” , “fe.xrqo8.ru.com” , “mldproltd.com”) or url IN (“https://guide-orientation.tn/go_page.php?href=https://4cut.pl//fancybox/top/” , “https://4cut.pl//fancybox/top/” , “https://cf-ipfs.com/ipfs/bafkreicbn4xgfxajydu6jbz2b5b5mijjnfskkns7uufaat5fao3tjddadi” , “https://guide-orientation.tn/go_page.php?href=https://atmmahmud.com/kgh/” , “https://atmmahmud.com/kgh/” , “https://cf-ipfs.com/ipfs/bafkreic7intzjnj746hcrgdbvs6xeg6tzdr2nen5jupl3nnpg7lucql4qy” , “https://ipfs.io/ipfs/bafkreic7intzjnj746hcrgdbvs6xeg6tzdr2nen5jupl3nnpg7lucql4qy” , “https://vf.qen12.za.com/.well-known/acme-challenge//r-xcut.php” , “https://guide-orientation.tn/go_page.php?href=https://fe.xrqo8.ru.com/.well-known/acme-challenge/” , “https://fe.xrqo8.ru.com/.well-known/acme-challenge/” , “https://cf-ipfs.com/ipfs/bafkreicj32yprjitxoyrmoxqcknj2xohjinvl5zcy6bnandbuggdki3bxu” , “https://mldproltd.com/img/slim/r-xcut.php”)

    Reference:

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-07-15-IOCs-from-recent-phishing-campaign.txt

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.