Looking East: Japanese Credit Card Customers Targeted by Phishing Attacks

In 2019, Overview of Valimail e-mail fraud report estimated that more than one in 100 emails were malicious in nature. In 2020, the FBI went on to claim that phishing was the most common attack method seen this year. And more recently, the Anti-Phishing Working Group (APGW) revealed that phishing attacks hit an all-time high in 2021, with 300,000 attacks recorded in December alone.

Now that we are in 2022, it is clear that this trend is not changing.

Today, cybercriminals are upping the ante, working to develop sophisticated spear-phishing campaigns to deceive potential users while abusing trusted platforms like SharePoint, Amazon AWS, Google, and Adobe at more frequent rates.

This is exactly what the Menlo Laboratories research team witnessed a recently analyzed phishing campaign targeting MICARD and American Express users in Japan. The team discovered that the threat actor in question was sending potential targets spoofed emails containing links to spoofed web pages, using geofencing to ensure that only Japanese IP addresses could access its sites website.

An analysis of spoofed sites

By analyzing the mechanisms used for MICARD and American Express phishing pages, we discovered many similarities.

Starting with the first, the URL used was “miicarrid[.]co[.]jp.sdsfsee[.]Top.)”. Upon access, users would be presented with a login page asking them to submit their credentials. If they did so, they would then be redirected to a second web page on the same domain which would ask them to provide their account details and card number.

In the case of American Express, the spoofed URL was “www1[.]amerxcanexpress[.]tp.bhisjcn[.]jp”, again presenting any potential victim with a login page and then a secondary page requesting submission of credit card information.

In the case of both campaigns, if a visitor was a victim and entered their card information, then they would be directed to the home page of the genuine site, while all their credentials would have been saved in the URL path of the phished pages.

Interestingly, while analyzing the American Express campaign, the Menlo Labs team found a style page (laydate.css) from the path “/admin/im/css/modules/laydate/default/laydate.css?v =5.3.1” which failed to load.

Following the “/admin” path, we found what looked like an attacker’s control panel where the attacker could have seen all of the phished data. Although the team was unfortunately unable to access it, it helped clarify that the threat actor was likely of Chinese descent.

Adopt best practices to protect against repeatable threats

The variety of similarities between the Amex and MICARD campaigns suggests that the threat actor has developed a repeatable methodology that could be extended to impersonate many other brands using a set of attack tactics, techniques, and procedures ( TTP) or a specific phishing kit.

Indeed, there are several common points that we have identified. The phishing pages were hosted on four IP addresses, used the same URL naming patterns, and were attributed to registrar Namesilo LLC. Plus, they were each powered by a LetsEncrypt SSL server certificate, the organization providing a free, automated, and open certificate authority through the nonprofit Internet Security Research Group (ISRG).

While MICARD has demonstrated its knowledge of the campaign, after issuing a statement advising its customers to beware of any brand impersonating emails, the threat actor is likely to continue producing new impersonated sites targeting other financial players, moving from brand to brand as they go. his sites are blocked.

Indeed, it is only one campaign among thousands of similar attempts. As threat actors continue to advance their techniques in volume, reach, and sophistication, organizations and their employees must respond by adopting best practices to prevent the potential success of phishing attempts.

With approximately 19 out of 20 cyberattacks reported to involve human error in some way, security strategies must first begin with heightened awareness of potential threats and caution.

Beyond that, however, organizations should also adopt multi-factor authentication (MFA) whenever possible to reduce the risk of misuse of credentials if compromised.

About admin

Check Also

From turning doorknobs to duck queues – that’s the Ig Nobel Prize!

Asian Scientist Magazine (September 21, 2022) —Science is not just about breakthrough discoveries. It’s also …