Beware the Monstrous Fox!

Image from ShutterstockWe are starting to see a more efficient (for the bad guys) method of phishing appear: huyao which means Monstrous Fox in Chinese. In typical phishing attacks, the bad guys create a near-exact duplicate of an existing website (usually an online shopping, credit card or banking site) and entice people to accidentally log into that site instead of the real one. This gives the bad guys your login username and password, which they can then use on the real website to get access to your credit card information and more.

I should note that if you were able to enable 2-factor authentication on the real site, this type of attack would be almost useless to the bad guys. Since they don’t have your authentication device, they wouldn’t be able to replicate a unique code on the real website. But they may still have a chance for two factors: 1) the authentication code may work for up to 30 seconds or more, so a quick-acting bad guy could get in, and 2) some websites that do have 2-factor authentication have a bypass feature: they allow you to tell the site that a particular computer is safe and trusted (aka whitelisting), to make future visits from that computer faster.

Monstrous Fox makes things easier for the bad guys in that they no longer need to duplicate the entire website. The fake website acts as a ‘proxy’ and relays most of the real website’s web pages to you. It only shows you a fake page when you are about to do something that’s attractive to the bad guys. Like typing in a username and password, making an online purchase, or entering in credit card information. So the bad guys only need to create fake login and purchase pages. For example:

  1. You visit an online shopping website, and see actual items from the real website
  2. You click on an item to add it to your cart – you are now looking at the fake website’s pages
  3. You checkout, providing credit card information and such – you are giving your info to the bad guys
  4. The bad guys send you a confirmation of purchase email, which includes the items you’d added to their (fake) basket or shopping cart.

Image from ShutterstockThe bad guys get their proxy inserted into your online experience in various ways: by you clicking a link in an email, by clicking a link on a compromised web page (such as search engine results or really any web page that you might visit which has been compromised), or by the result of installed malware on your computer. This takes you to the proxy website of the bad guys, who can then display either a fake website or the real one, whilst keeping their proxy in the middle of your communication between the real website and your computer. For cyber sleuths, this is an example of a ‘man-in-the-middle’ attack.

Advertisement

So how can you tell if you’re being phished? The first and foremost way to protect yourself is to avoid visiting shopping, credit card or bank websites by clicking on a link from anywhere. Visit these types of websites exclusively by opening a web browser and typing in the address of the website (e.g., www.amazon.com, www.rakuten.com, etc.). So all that advertising email you get that has links to the stores? Ignore them – when you want to shop, visit the website directly, don’t follow a hyperlink. It’s just too easy to fake hyperlinks in email or on web pages.

malwarebyteslogoIn addition, you should make sure your computer is free of malware – we like the excellent Malwarebytes’ Anti-Malware (and there’s a free version available at https://www.malwarebytes.org). If you choose the free version, run it to scan your system monthly. Or you can purchase the Premium version and let it provide automatic protection. Oh, and practice safe computing – our complete digital life checklist is here. If you’re interested in the intricate details of this phishing method, our friends at TrendMicro have a detailed writeup about Monstrous Fox here.

Leave a Comment

Your email address will not be published. All comments must be approved by the webmaster before they will be publicly viewable. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.