Operation Huyao, the scary evolution of phishing attacks

Pierluigi Paganini November 06, 2014

Security experts at TrendMicro have discovered a new Phishing technique dubbed Operation Huyao that it very hard to detect by site owners and end-users.

Security experts have uncovered a new phishing technique, dubbed Operation Huyao, targeting online shopping websites and that is considered by researchers a significantly change to the threat landscape for phishing activities. In a classic phishing scenario, the attackers clone a legitimate website to syphon users’ credentials and spread the link to the bogus site via email or through social media platforms. The quality of the copy is determinant for the success of the attack. The new phishing scheme discovered by the security experts relies on phishing pages that contains a proxy program, which acts as a relay to the legitimate website. In this way the attacker just needs to create a copy of those pages that receive data of interest, the technique is very difficult to detect for the site owner.

“The attacker’s malicious site acts as a relay/proxy for the original site. So long as the would-be-victim is just browsing around the site, they see the same content as they would on the original site. It is only when any payment information is entered that modified pages are displayed to the user.” states a blog post from TrendMicro.

Operation Huyao phishing campaign

The experts assigned to the campaign the named Operation Huyao because analyzing the attacks they have deducted that authors are based in China, just for curiosity the term ‘huyao’ means a monstrous fox.

“To carry out a conventional phishing attack, an attacker need to capture, copy, and modify the code for the target organization’s website and host it on their own site. This could be hosted either on a malicious site, or a compromised site (particularly a subdirectory or subdomain).

Differently from a conventional phishing attack, in an Operation Huyao, a single malicious domain is used by attacker to target multiple website, like so: http://{malicious domain}/clothes/tslyphperaHR0cDov{BLOCKED}.html” explained Noriaki Hayashi, Senior Threat Researcher from TrendMicro.

The URL includes a stub, tslyphper, that is used for the relay attack, the remaining part of the filename identifies the specific site that targeted and that is coded in BASE64, as explained in the following example:

tslyphperaHR0cDovL3d3dy5zaG9wcGluZ21hbGwuY28uanAv.html
Input parameter: aHR0cDovL3d3dy5zaG9wcGluZ21hbGwuY28uanAv
After BASE64 decoding: {URL of legitimate shopping site}

The attacker also used  blackhat SEO techniques to attacks unaware users, the experts at TrendMicro cited the example of Japanese e-commerce website, in the following image are proposed the search results with malicious links related to the targeted website.

Operation Huyao phishing campaign black SEO

The attackers collect the following information from victims:

  • Payment method/card issuer
  • Card number
  • Card expiration date
  • Name of cardholder
  • Security code

But the action of the attacker is not limited to the above data, using other for they simulate a credit card verification services provided by some card networks to gather the user’s password and cardholder ID. The phishing attacks is closed sending an email message to the user to resume and confirm the placed order, leaving victims with the impression that the transaction has been successfully concluded.

As explained by the experts, if the attack technique becomes more prominent, it could become a very worrying development, making hard the detection by end-users of the illicit practice.

“In addition, attackers will no longer have to exert much effort into duplicating entire shopping sites. They will only have to duplicate the payment pages, which is an easier task.” states TrendMicro

Pierluigi Paganini

Security Affairs –  (Operation Huyao, phishing, cybercrime)



you might also like

leave a comment