Who’s Behind Operation Huyao?

As previously discussed Operation Huyao is a well-designed phishing scheme that relys on relay/proxy sites that pull content directly from their target sites to make their phishing sites appear to be more realistic and believable.

Only one such attack, targeting a well-known Japanese site, has been documented. No other sites have been targeted by this attack.Publicly available information suggests that the persons who registered the domains used in this attack are located in China.

Because Huyao has a very specific URL pattern, it is easy to identify web servers that were seving as Huyao proxies. Most of these were located in the United States, with smaller numbers located in Hong Kong and France.

Table 1. Countries with Huyao-related servers

Approximately 316 domains have been used by Huyao. These domains appear to have been created by the attackers, and there is no indication that any compromised sites were used. The Whois records for these sites indicate that the email addresses on file for the administrators of these domains belong to free mail providers: Hotmail, QQ, and Gmail were the most popular providers used by the attackers.

Table 2. Email providers used in Huyao-related domain registration

Lin Xiansheng (gillsaex@hotmail.com) and Lirong Shi (44501666@qq.com) were the two individuals most identified as owners of these domains

According to Whois information, Lin is a resident of Xiamen, located in the southeastern province of Fujian in China. He appears to have registered a total of 196 domains, with four of these registrations already lapsed or otherwise no longer valid. (Below is some of the Whois information characteristic of the domains that were registered under this name, based on the Whois information of fffls.com:

Registry Registrant ID:
Registrant Name: xiansheng lin
Registrant Organization: lin xiansheng
Registrant Street: xiamenshisimingqu
Registrant City: xiamen
Registrant State/Province: Fujian
Registrant Postal Code: 361000
Registrant Country: cn
Registrant Phone: +86.59112345678
Registrant Phone Ext:
Registrant Fax: +86.59112345678
Registrant Fax Ext:
Registrant Email:
Registry Admin ID:
Admin Name: xiansheng lin
Admin Organization:
Admin Street: xiamenshisimingqu
Admin City: xiamen
Admin State/Province: Fujian
Admin Postal Code: 361000
Admin Country: cn
Admin Phone: +86.59112345678
Admin Phone Ext:
Admin Fax: +86.59112345678
Admin Fax Ext:
Admin Email:

Figure 1. Whois search for gillsaex@hotmail.com

Whois records of another domain (now seized due to abuse) also connect Lin to a second email address, 339647674@qq.com. Lin used a slightly different physical address for the domains linked to the qq.com address, but its location was still in Xiamen,

Lirong Shi registered even more domains: 417 in total, with six of those no longer active. Whos records place him in the city of Jinjiang, also in Fujian province.

Registry Registrant ID: DI_38689624
Registrant Name: shilirong
Registrant Organization: shilirong
Registrant Street: jinjiangshi
Registrant City: jinjiang
Registrant State/Province: fujian
Registrant Postal Code: 362200
Registrant Country: CN
Registrant Phone: +86.3202222
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:
Registry Admin ID: DI_38689624
Admin Name: shilirong
Admin Organization: shilirong
Admin Street: jinjiangshi
Admin City: jinjiang
Admin State/Province: fujian
Admin Postal Code: 362200
Admin Country: CN
Admin Phone: +86.3202222
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email:

Other information confirms that Lirong Shi is located in China. Postings in online forums indicated that several years ago, he was allegedly buying devices from Japan and selling them in China:

Figure 2. Previous advertisement by 44501666@qq.com

The Whois information strongly indicates that the individuals who registered the domains used in Operation Huyao are located in China. The fact that the domains linked to Operation Huyao were registered during working hours in China – with peaks at 9AM and 1PM – seems to support this conclusion. However, this alone cannot be regarded as conclusive proof.

Figure 3. Time of domain registration


For website owners, protection from such attacks boils down to one goal: rejecting the access of the unexpected. These countermeasures come down to blacklisting and monitoring the “URL: document.location” or “HTTP referrer: document.referrer.”

In this scenario, blacklisting would mean blacklisting the site where the relay program was installed in. Blacklisting can be combined with a .htaccess access control file if Apache was involved.

Using a URL or HTTP referrer can also be instrumental in attacks such as Huyao. The URL or HTTP referrer can be used to compare the values obtained through JavaScript of the legitimate site and the site that copied the content. The owners of the legitimate sites can check where the request for data/content is coming from. A discrepancy between the two values signals suspicious activity that can then be properly flagged.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Who’s Behind Operation Huyao?

Read more: Who’s Behind Operation Huyao?

Incoming search terms

Story added 7. November 2014, content source with full text you can find at link above.