Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Stealthy Phishing Tactic Targets Online Shoppers

Researchers at Trend Micro say they have uncovered a crafty phishing technique that can help attackers steal information while flying under the radar of site owners.

The attack has been dubbed ‘Operation Huyao’.

Researchers at Trend Micro say they have uncovered a crafty phishing technique that can help attackers steal information while flying under the radar of site owners.

The attack has been dubbed ‘Operation Huyao’.

“In Chinese, huyao means a monstrous fox,” explained Noriaki Hayashi, senior threat researcher at Trend Micro. “The rather sneaky behavior of this attack, together with the fact that we believe the creators of this attack are located in China, made this name feel rather appropriate.”

While traditional phishing attacks require an attacker to copy a targeted website, in this case, the attacker doesn’t need to do that at all. Instead, the phishing page only contains a proxy program that acts as a relay to the legitimate site. The page is only modified when information is about to be stolen, Hayashi blogged.

“To carry out a conventional phishing attack, an attacker need to capture, copy, and modify the code for the target organization’s website and host it on their own site,” the researcher wrote. “This could be hosted either on a malicious site, or a compromised site (particularly a subdirectory or subdomain).”

“Many legitimate shopping sites use subdirectories to divide their store into various sections,” Hayashi continued. “Something like this, for example, would be perfectly reasonable:

  • http://{legitimate site}/clothes/
  • http://{legitimate site}/food/
  • http://{legitimate site}/music/

“With a conventional attack, it’s likely that three phishing sites would need to be prepared. In Operation Huyao, a single malicious domain was used to target multiple stores, like so:

  • http://{malicious domain}/clothes/tslyphperaHR0cDov{BLOCKED}.html

The URL, the researcher continued, contains an identifier that flags the URL as being used by these relay attacks – tslyphper. The remainder of the HTML file’s name identifies the site that is the target of the attack.

In the case of Operation Huyao, the attacker’s malicious site acts as a relay for the original site, and as long as the victim is only browsing the page, they will only see the content they would on the legitimate site. When they go to enter payment information however, things change.

“It does not matter what device (PC/laptop/smartphone/tablet) or browser is used, as the attacker proxies all parts of the victim’s HTTP request and all parts of the legitimate server’s response,” the researcher blogged.

In order to get users to visit the malicious site, the attackers use blackhat search engine optimization techniques so that the malicious site appears in response to certain product-related Web searches.

In the incident Trend Micro observed, the “Add to Basket” function was written by the attacker in order to perform their attack. While clicking on the “Add to Basket” button on the legitimate site takes the user to the actual shopping basket via HTTPS, on the phishing site, the user goes to the following page via an unprotected HTTP connection.

“So far, we have only identified this attack targeting one specific online store in Japan,” blogged Hayashi. “However, if this attack becomes more prominent, it could become a very worrying development: this makes phishing harder to detect by end users, as the phishing sites will be nearly identical to the original sites. In addition, attackers will no longer have to exert much effort into duplicating entire shopping sites. They will only have to duplicate the payment pages, which is an easier task.”

Written By

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.