Researchers at Trend Micro say they have uncovered a crafty phishing technique that can help attackers steal information while flying under the radar of site owners.
The attack has been dubbed ‘Operation Huyao’.
“In Chinese, huyao means a monstrous fox,” explained Noriaki Hayashi, senior threat researcher at Trend Micro. “The rather sneaky behavior of this attack, together with the fact that we believe the creators of this attack are located in China, made this name feel rather appropriate.”
While traditional phishing attacks require an attacker to copy a targeted website, in this case, the attacker doesn’t need to do that at all. Instead, the phishing page only contains a proxy program that acts as a relay to the legitimate site. The page is only modified when information is about to be stolen, Hayashi blogged.
“To carry out a conventional phishing attack, an attacker need to capture, copy, and modify the code for the target organization’s website and host it on their own site,” the researcher wrote. “This could be hosted either on a malicious site, or a compromised site (particularly a subdirectory or subdomain).”
“Many legitimate shopping sites use subdirectories to divide their store into various sections,” Hayashi continued. “Something like this, for example, would be perfectly reasonable:
- http://{legitimate site}/clothes/
- http://{legitimate site}/food/
- http://{legitimate site}/music/
“With a conventional attack, it’s likely that three phishing sites would need to be prepared. In Operation Huyao, a single malicious domain was used to target multiple stores, like so:
- http://{malicious domain}/clothes/tslyphperaHR0cDov{BLOCKED}.html
The URL, the researcher continued, contains an identifier that flags the URL as being used by these relay attacks – tslyphper. The remainder of the HTML file’s name identifies the site that is the target of the attack.
In the case of Operation Huyao, the attacker’s malicious site acts as a relay for the original site, and as long as the victim is only browsing the page, they will only see the content they would on the legitimate site. When they go to enter payment information however, things change.
“It does not matter what device (PC/laptop/smartphone/tablet) or browser is used, as the attacker proxies all parts of the victim’s HTTP request and all parts of the legitimate server’s response,” the researcher blogged.
In order to get users to visit the malicious site, the attackers use blackhat search engine optimization techniques so that the malicious site appears in response to certain product-related Web searches.
In the incident Trend Micro observed, the “Add to Basket” function was written by the attacker in order to perform their attack. While clicking on the “Add to Basket” button on the legitimate site takes the user to the actual shopping basket via HTTPS, on the phishing site, the user goes to the following page via an unprotected HTTP connection.
“So far, we have only identified this attack targeting one specific online store in Japan,” blogged Hayashi. “However, if this attack becomes more prominent, it could become a very worrying development: this makes phishing harder to detect by end users, as the phishing sites will be nearly identical to the original sites. In addition, attackers will no longer have to exert much effort into duplicating entire shopping sites. They will only have to duplicate the payment pages, which is an easier task.”
