Security researchers have discovered a new type of phishing attack using proxy programs to make the malicious site harder to detect.
Trend Micro senior threat researcher Noriaki Hayashi warned in a blog post last week that the new techniques observed here “may significantly change the threat landscape for phishing sites.”
He explained:
“This technique we found allows for the creation of nearly perfect copies – because the attacker no longer needs to create a copy of the site at all. Instead, the phishing page only contains a proxy program, which acts as a relay to the legitimate site. Only when any information theft needs to be carried out are any pages modified. The owners of the legitimate site would find it very difficult to detect these attacks against their customers.”
The attack works on any device and with any browser, as the hacker proxies all parts of the victim’s HTTP request and all parts of the legitimate server’s response, Hayashi added.
Dubbed Operation Huyao (Monstrous Fox in Chinese), the attacks are thought to have emanated from China and have been observed thus far targeting a Japanese shopping site.
Blackhat SEO techniques are initially used to get victims to click on the malicious site.
Only when the victim is about to buy a product does it display different information crafted by the attacker. This apparently starts with new Add to Basket functionality, after which all the pages have been purpose-built to carry out information theft.
They even include a bogus 3D Secure verification page designed so that the phishers can circumvent this in future with the stolen credentials, Trend Micro claimed.
Although it has only been observed so far targeting one site in Japan, the implications of this new method of phishing are potentially serious, Hayashi argued.
“If this attack becomes more prominent, it could become a very worrying development: this makes phishing harder to detect by end users, as the phishing sites will be nearly identical to the original sites,” he concluded.
“In addition, attackers will no longer have to exert much effort into duplicating entire shopping sites. They will only have to duplicate the payment pages, which is an easier task.”