New Phishing Technique Outfoxes Site Owners: Operation Huyao

We’ve found a new phishing technique targeting online shopping sites that may significantly change the threat landscape for phishing sites. Conventional phishing sites require an attacker to replicate the targeted site; a more accurate copy is more likely to fool intended victims.

This technique we found allows for the creation of nearly perfect copies – because the attacker no longer needs to create a copy of the site at all. Instead, the phishing page only contains a proxy program, which acts as a relay to the legitimate site. Only when any information theft needs to be carried out are any pages modified. The owners of the legitimate site would find it very difficult to detect these attacks against their customers.

We decided to call this particular attack Operation Huyao. In Chinese, huyao means a monstrous fox. The rather sneaky behavior of this attack, together with the fact that we believe the creators of this attack are located in China, made this name feel rather appropriate.

Conventional phishing attacks and Huyao attacks

To carry out a conventional phishing attack, an attacker need to capture, copy, and modify the code for the target organization’s website and host it on their own site. This could be hosted either on a malicious site, or a compromised site (particularly a subdirectory or subdomain).

Many legitimate shopping sites use subdirectories to divide their store into various sections. Something like this, for example, would be perfectly reasonable:

  • http://{legitimate site}/clothes/
  • http://{legitimate site}/food/
  • http://{legitimate site}/music/

With a conventional attack, it’s likely that three phishing sites would need to be prepared. In Operation Huyao, a single malicious domain was used to target multiple stores, like so:

  • http://{malicious domain}/clothes/tslyphperaHR0cDov{BLOCKED}.html

The URL contains an identifier which flags the URL as being used by these relay attacks – tslyphper. The rest of the HTML file’s name identifies the site that is the target of the attack, like so:

Input parameter: aHR0cDovL3d3dy5zaG9wcGluZ21hbGwuY28uanAv
After BASE64 decoding: {URL of legitimate shopping site}

The URL of the targeted site is stored in the phishing URL and can be found after BASE64 decoding.

How the attack proceeds

Conceptually, the attack overall is simple. The attacker’s malicious site acts as a relay/proxy for the original site. So long as the would-be-victim is just browsing around the site, they see the same content as they would on the original site. It is only when any payment information is entered that modified pages are displayed to the user.

It does not matter what device (PC/laptop/smartphone/tablet) or browser is used, as the attacker proxies all parts of the victim’s HTTP request and all parts of the legitimate server’s response.

The overall flow of this attack is shown in the diagram below:

Figure 1. Overall attack flow

To get the user to the malicious site, various blackhat SEO techniques have been used to insert the malicious sites in question to various product-related searches, as seen in the screenshot below. (The targeted shopping site was in Japanese, which is why the sites are in Japanese as well.)

Figure 2. Search results with malicious links

The changes begin when the user is about to buy a product. The Add to Basket function has been written by the attacker in order to perform their attacks.

Figures 3 and 4. Price on actual site versus price on phishing site

Note the difference between the two pages – the price has been significantly reduced. This may have been done in order to lure in would-be savers. Clicking on the “Add to Basket” button on the legitimate site takes the user via HTTPS to the actual shopping basket. On the phishing site, the user goes to the following page via an unprotected HTTP connection:

  • http://{malicious domain}/cart/cart.php?site={malicious domain}&p=3073&nm=Item_Name<tr><td><span%20class=

The URL above contains both the price (3073 yen) and the name of the item in question. All of the pages beyond this point are created by the attacker to carry out information theft.

As is typical in a checkout process, the user is shown a series of pages where they have to enter their information.

Figure 5. Page asking for personal information

The information asked for in this page is:

  • Name
  • Pronounciation
  • Postal code
  • Prefecture
  • City or Country
  • Address
  • Phone number
  • Email address
  • Password

The format of the above page would be regarded by Japanese users (the target of this attack) as completely normal.

In the next page, the users are asked to enter their payment information:

Figure 6. Page asking for credit card information

Here, the users are asked to enter the following:

  • Payment method/card issuer
  • Card number
  • Card expiration date
  • Name of cardholder
  • Security code

One more screen appears, which is designed to defeat card verification services provided by some card networks. These ask for a separate password meant to verify that the actual cardholder is authorizing the account. By acquiring this password, the attackers can get around this verification system.

Oddly, these fake verification pages ask for an ID/user name of some sort, which is not part of the actual verification process. A “personal message” that is specified by the user is not present (as, obviously, the attacker would not have previous access to this).

Figure 7. Page asking for credit card authentication password

Finally, an email message thanking the user for their order is sent to the address provided earlier. The message also contains the items that the user supposedly ordered from the online store:

Figure 8. Email with supposed transaction details

All this leaves the user with the impression that they have carried out a successful transaction, unaware that they have fallen victim of a phishing attack.


So far, we have only identified this attack targeting one specific online store in Japan. However, if this attack becomes more prominent, it could become a very worrying development: this makes phishing harder to detect by end users, as the phishing sites will be nearly identical to the original sites.

In addition, attackers will no longer have to exert much effort into duplicating entire shopping sites. They will only have to duplicate the payment pages, which is an easier task.

We will continue to monitor and block all phishing attacks that use this or other similar methodologies.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

New Phishing Technique Outfoxes Site Owners: Operation Huyao

Read more: New Phishing Technique Outfoxes Site Owners: Operation Huyao

Story added 5. November 2014, content source with full text you can find at link above.