Crooks using phishing pages to grab victims' passwords have apparently upped their game – by using proxy servers rather than static pages to craft legit-looking websites.
Normally, thieves recreate a web page – such as a login page for an online shop or webmail – and stick it on a compromised server, then direct marks towards that counterfeit page in hope they fall for the trick and type in their username and password, or bank card details.
Savvy netizens should be able to spot a dodgy-looking page, so now crims are directing people to servers that fetch legit pages from the website being impersonated and pass those on to the mark to convince them it's safe to hand over their personal details.
The in-between relay can even lower prices of stuff being sold online to lure in people looking for a bargain.
That's according to Trend Micro, which this week warned:
[The] technique we found allows for the creation of nearly perfect copies – because the attacker no longer needs to create a copy of the site at all. Instead, the phishing page only contains a proxy program, which acts as a relay to the legitimate site. Only when any information theft needs to be carried out are any pages modified. The owners of the legitimate site would find it very difficult to detect these attacks against their customers.
The attacker’s malicious site acts as a relay/proxy for the original site. So long as the would-be-victim is just browsing around the site, they see the same content as they would on the original site. It is only when any payment information is entered that modified pages are displayed to the user.
This tactic, dubbed Operation Huyao by Trend Micro, ultimately relies on people not noticing that the HTTPS website they're visiting is not the HTTPS website they think it is.
It was used against a Japanese shopping website and its customers. In Chinese, huyao means a "monstrous fox" and the word was chosen by Trend because the crooks are seemingly operating in China.
Marks were drawn to the thieves' malicious site using various black-hat SEO techniques to push links to the dodgy server up web search rankings – allowing the bogus site to appear prominently for product searches.
"For website owners, protection from such attacks boils down to one goal: rejecting the access of the unexpected,” noted Trend senior researcher Noriaki Hayashi. ®