Phishing 2.0: Operation Huyao

Phishing scams are ever more sophisticated. The latest example of this trend comes from China and is reported on by Trend Micro. The attack was given the name Operation “Huyao”-meaning a monstrous fox in Chinese-because it aligns well with the sneaky, malicious behavior of this attack.

“This technique we found allows for the creation of nearly perfect copies – because the attacker no longer needs to create a copy of the site at all.” You read that right, no more almost perfect copies of websites. What’s different about this phishing attack, compared to others, is that it essentially acts as a proxy/relay between you and your final destination.

The attack is not truly activated until you get to the checkout page. This is where things start to change a little. As you can see in the screenshots below, there is a slight difference in price (on the right is the attack-altered price).

It’s believed the lowered price was done to lure in the buyers who might not buy the item because it’s expensive and realizing it at the checkout. From here on, a few changes take place, but not many are easy to spot. Except for one: towards the end of the entire checkout process, there is one last page, where normally should be displayed a “personal message” that the user should recognize. This is, of course, missing. Instead, the user is presented with a prompt to enter an unknown ID credit card authentication password (this password is necessary to charge the card).

Once the “order” is finished, the victim will even get a “thank you” email confirming the purchase. Within it are contained the items purchased and the address they will be “shipped” to. Quite frankly, this evolution of phishing attacks is quite worrisome. The shopping pages are identical (because you’re on the real website), while the only page that needs to be replicated is the checkout page. While this attack only targeted one store in Japan so far, it’s likely we will see this trend grow as time progresses.