Who’s Behind Operation Huyao?

As previously discussed Operation Huyao is a well-designed phishing scheme that relys on relay/proxy sites that pull content directly from their target sites to make their phishing sites appear to be more realistic and believable.

Only one such attack, targeting a well-known Japanese site, has been documented. No other sites have been targeted by this attack.Publicly available information suggests that the persons who registered the domains used in this attack are located in China.

Because Huyao has a very specific URL pattern, it is easy to identify web servers that were seving as Huyao proxies. Most of these were located in the United States, with smaller numbers located in Hong Kong and France.

Table 1. Countries with Huyao-related servers

Approximately 316 domains have been used by Huyao. These domains appear to have been created by the attackers, and there is no indication that any compromised sites were used. The Whois records for these sites indicate that the email addresses on file for the administrators of these domains belong to free mail providers: Hotmail, QQ, and Gmail were the most popular providers used by the attackers.

Table 2. Email providers used in Huyao-related domain registration

Lin Xiansheng (gillsaex@hotmail.com) and Lirong Shi (44501666@qq.com) were the two individuals most identified as owners of these domains

According to Whois information, Lin is a resident of Xiamen, located in the southeastern province of Fujian in China. He appears to have registered a total of 196 domains, with four of these registrations already lapsed or otherwise no longer valid. (Below is some of the Whois information characteristic of the domains that were registered under this name, based on the Whois information of fffls.com:

Registry Registrant ID: Registrant Name: xiansheng lin Registrant Organization: lin xiansheng Registrant Street: xiamenshisimingqu Registrant City: xiamen Registrant State/Province: Fujian Registrant Postal Code: 361000 Registrant Country: cn Registrant Phone: +86.59112345678 Registrant Phone Ext: Registrant Fax: +86.59112345678 Registrant Fax Ext: Registrant Email: Registry Admin ID: Admin Name: xiansheng lin Admin Organization: Admin Street: xiamenshisimingqu Admin City: xiamen Admin State/Province: Fujian Admin Postal Code: 361000 Admin Country: cn Admin Phone: +86.59112345678 Admin Phone Ext: Admin Fax: +86.59112345678 Admin Fax Ext: Admin Email:

Figure 1. Whois search for gillsaex@hotmail.com

Whois records of another domain (now seized due to abuse) also connect Lin to a second email address, 339647674@qq.com. Lin used a slightly different physical address for the domains linked to the qq.com address, but its location was still in Xiamen,

Lirong Shi registered even more domains: 417 in total, with six of those no longer active. Whos records place him in the city of Jinjiang, also in Fujian province.

Registry Registrant ID: DI_38689624 Registrant Name: shilirong Registrant Organization: shilirong Registrant Street: jinjiangshi Registrant City: jinjiang Registrant State/Province: fujian Registrant Postal Code: 362200 Registrant Country: CN Registrant Phone: +86.3202222 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: Registry Admin ID: DI_38689624 Admin Name: shilirong Admin Organization: shilirong Admin Street: jinjiangshi Admin City: jinjiang Admin State/Province: fujian Admin Postal Code: 362200 Admin Country: CN Admin Phone: +86.3202222 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email:

Other information confirms that Lirong Shi is located in China. Postings in online forums indicated that several years ago, he was allegedly buying devices from Japan and selling them in China:

Figure 2. Previous advertisement by 44501666@qq.com

The Whois information strongly indicates that the individuals who registered the domains used in Operation Huyao are located in China. The fact that the domains linked to Operation Huyao were registered during working hours in China – with peaks at 9AM and 1PM – seems to support this conclusion. However, this alone cannot be regarded as conclusive proof.

Figure 3. Time of domain registration

Countermeasures

For website owners, protection from such attacks boils down to one goal: rejecting the access of the unexpected. These countermeasures come down to blacklisting and monitoring the “URL: document.location” or “HTTP referrer: document.referrer.”

In this scenario, blacklisting would mean blacklisting the site where the relay program was installed in. Blacklisting can be combined with a .htaccess access control file if Apache was involved.

Using a URL or HTTP referrer can also be instrumental in attacks such as Huyao. The URL or HTTP referrer can be used to compare the values obtained through JavaScript of the legitimate site and the site that copied the content. The owners of the legitimate sites can check where the request for data/content is coming from. A discrepancy between the two values signals suspicious activity that can then be properly flagged.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Who’s Behind Operation Huyao?