Trend Micro’s threat researchers have recently uncovered the latest way that attackers are “improving” phishing attacks. Our researchers have recently uncovered a new phishing campaign targeting users of an online store in Japan. What makes this interesting is that this campaign features a worrying new tactic that makes this attack more effective and easier to pull off. Because the people behind this new tactic appear to be from China, we’re calling it “Operation Huyao.” In Chinese, huyao means a monstrous fox.
To understand why Operation Huyao is so different, it’s important first to understand how phishing sites work.
When you create a phishing site, you are generally creating a full, bogus copy of the site you’re spoofing on a server under your control. Because the goal is to fool people into believing the bogus site is the real site, the quality of the copy is important. A site that looks like a bad copy isn’t going to be as effective as a site that’s nearly impossible to distinguish from the real site. This means that creating a good phishing site for major legitimate sites entails a lot of work to duplicate as much of the real site as possible.
In Operation Huyao, we’ve found that attackers have found a new way to solve the problem of creating a believable copy of the legitimate site. Instead of creating a full, stand-along copy of the legitimate site on their malicious servers, these attackers have found a way to serve up pages directly from the legitimate site on their own malicious site. The attackers can do this in a way that is seamless to the person visiting their malicious site.
This means when you go to these attackers’ bogus, malicious site, you’re seeing the same content that you would see on the legitimate site. The attackers do create new pages on their site to get the critical information that they’re looking for. But that’s it. The rest of the user’s experience is coming from the legitimate site. For all intents and purposes, there’s no way to tell by the site’s look and feel that it’s not the legitimate site.
What makes this attack even more insidious is that they’re not attacking or compromising the legitimate site in any way. This means that it’s nearly impossible for the legitimate site owner to know that their site information is being used to support these attackers’ phishing sites.
This represents a major innovation in phishing tactics. And it’s an innovation that makes it even harder to recognize phishing sites.
While we’ve seen this only targeting one online store in Japan, there’s every reason to believe that this innovation will be adopted and adapted to be used more broadly. Attackers often “beta test” new techniques in smaller markets like Japan before releasing them more broadly.
The good news, however, is that the same protections that you use to help protect you against phishing sites today help against these newer, more effective phishing sites. Security software like Trend Micro Security that use web reputation which is powered by our Smart Protection Network™ can protect against these kinds of sites (and in fact are already). Also, making sure you don’t click on links and only navigate to sites for eCommerce or other critical functions by typing the URL in the browser by hand can help to protect you.
While this is a worrying new development, it also shows that tried and true practices to protect yourself online are still effective. But it does show that cybercriminals aren’t standing still: the same forces that prompt innovation in legitimate technology business also push criminal technology operations as well. And that underscores why it’s important to not only keep up to date on your patches and signatures, but also on the latest security threat intelligence as well.
Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.