Incident Response, TDR

Researchers observe a new phishing technique

An effective new phishing technique identified by researchers with Trend Micro allows attackers to go after information without having to spend as much time developing copies of websites.

The attack involves a phishing page containing a proxy program that acts as a relay to a legitimate website, according to a Wednesday post by Noriaki Hayashi, senior threat researcher with Trend Micro. From the user's perspective, they are just browsing the regular site, and the attackers do not have to modify anything until they are ready to steal information.

“This really is like a standard phishing attack from the target's point of view,” Christopher Budd, global threat communications manager at Trend Micro, told in a Wednesday email correspondence. “The attacker lures the target to a bogus site under the attacker's control. The key difference here is that the attacker is proxying back to the legitimate site on the back-end to increase the believability of the bogus site.”

So far the attack has only been observed targeting an online store in Japan, the post indicates. The technique is being referred to by Trend Micro as Operation Huyao, partly because the creators of the attack are believed – based on the investigation – to be located in China, Budd said.

Budd could not provide further details with regard to the proxy program, but he explained that “the bogus site does have some 'original' content, which is used to harvest the details the attacker is after.”

In the instance observed by Trend Micro, changes occurred during the checkout process, where users were first directed to a page that ask for personal information, including names, addresses, email addresses, phone numbers, and passwords, according to the post. The next page asked for payment card information, including card numbers, expiration dates and security codes, and was followed by a credit card authentication page designed to overcome verification services offered by certain card networks.

In the end, victims receive an email thanking them for their order, the post indicates, adding that the attackers used a variety of “blackhat SEO techniques” so the malicious site would appear in product-related searches.

“It's hard to predict for sure, but generally any innovation that reduces cost and increases effectiveness will be adopted and adapted by others,” Budd said. “So there is reason to view this potentially as something that's being 'test run' in Japan with an eye to broader use once the technique is better refined.”

Best practices include not clicking on links, as well as using a mature security package that includes web reputation services to identify and block bad sites, Budd said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.