Beware the Monstrous Fox!

Image from ShutterstockWe are starting to see a more efficient (for the bad guys) method of phishing appear: huyao which means Monstrous Fox in Chinese. In typical phishing attacks, the bad guys create a near-exact duplicate of an existing website (usually an online shopping, credit card or banking site) and entice people to accidentally log into that site instead of the real one. This gives the bad guys your login username and password, which they can then use on the real website to get access to your credit card information and more.

I should note that if you were able to enable 2-factor authentication on the real site, this type of attack would be almost useless to the bad guys. Since they don’t have your authentication device, they wouldn’t be able to replicate a unique code on the real website. But they may still have a chance for two factors: 1) the authentication code may work for up to 30 seconds or more, so a quick-acting bad guy could get in, and 2) some websites that do have 2-factor authentication have a bypass feature: they allow you to tell the site that a particular computer is safe and trusted (aka whitelisting), to make future visits from that computer faster.

Monstrous Fox makes things easier for the bad guys in that they no longer need to duplicate the entire website. The fake website acts as a ‘proxy’ and relays most of the real website’s web pages to you. It only shows you a fake page when you are about to do something that’s attractive to the bad guys. Like typing in a username and password, making an online purchase, or entering in credit card information. So the bad guys only need to create fake login and purchase pages. For example:

  1. You visit an online shopping website, and see actual items from the real website
  2. You click on an item to add it to your cart – you are now looking at the fake website’s pages
  3. You checkout, providing credit card information and such – you are giving your info to the bad guys
  4. The bad guys send you a confirmation of purchase email, which includes the items you’d added to their (fake) basket or shopping cart.

Image from ShutterstockThe bad guys get their proxy inserted into your online experience in various ways: by you clicking a link in an email, by clicking a link on a compromised web page (such as search engine results or really any web page that you might visit which has been compromised), or by the result of installed malware on your computer. This takes you to the proxy website of the bad guys, who can then display either a fake website or the real one, whilst keeping their proxy in the middle of your communication between the real website and your computer. For cyber sleuths, this is an example of a ‘man-in-the-middle’ attack.

Advertisement

So how can you tell if you’re being phished? The first and foremost way to protect yourself is to avoid visiting shopping, credit card or bank websites by clicking on a link from anywhere. Visit these types of websites exclusively by opening a web browser and typing in the address of the website (e.g., www.amazon.com, www.rakuten.com, etc.). So all that advertising email you get that has links to the stores? Ignore them – when you want to shop, visit the website directly, don’t follow a hyperlink. It’s just too easy to fake hyperlinks in email or on web pages.

malwarebyteslogoIn addition, you should make sure your computer is free of malware – we like the excellent Malwarebytes’ Anti-Malware (and there’s a free version available at https://www.malwarebytes.org). If you choose the free version, run it to scan your system monthly. Or you can purchase the Premium version and let it provide automatic protection. Oh, and practice safe computing – our complete digital life checklist is here. If you’re interested in the intricate details of this phishing method, our friends at TrendMicro have a detailed writeup about Monstrous Fox here.


This website runs on a patronage model. If you find my answers of value, please consider supporting me by sending any dollar amount via Click or tap to open a new browser tab or your Venmo app and send money via Venmo to @positek (send to @PosiTek), Click or tap to open a new browser tab or your Paypal app to send money via your Paypal account to support@positek.net (send to Support@PosiTek.net), Click or tap to open a new browser tab or your Paypal app to send money using your credit card to support@positek.net (no Paypal account required) using any credit card (no Paypal account required), using Zelle, Apple Pay or Google Pay, or by mailing a check or cash to PosiTek.net LLC 1934 Old Gallows Road, Suite 350, Tysons Corner VA 22182. I am not a non-profit, but your support helps me to continue delivering advice and consumer technology support to the public. Thank you!

Go to Top of Page

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.