The Menlo Labs research team recently analyzed a malicious infrastructure carrying out phishing attacks against Japanese MICARD and American Express users. The threat actor behind this infrastructure is actively spinning up new domains and websites with the same attack Tactics, Techniques, and Procedures (TTPs). We assess with moderate confidence that the threat actor is of Chinese origin; additional details are found later in the article (Figure 6).
Based on our research and OSINT (Open Source Intelligence) analysis, the initial vector of these attacks is an email with a link that directs the intended target to the phished page. We even came across an advisory and guidance from MICARD informing its users to be cautious of phishing emails impersonating their brand.
The brands that were targeted by the threat actor were MICARD and American Express. The MICARD phishing pages used the geofencing technique to allow only Japanese IPs to access the website. We detail the working of these phishing pages associated with the targeted brands below.
The phishing URL targeting the MICARD page we analyzed was miicarrid[.]co[.]jp.sdsfsee[.]top. Upon visiting this website from a Japanese IP address, the user is presented with a login page requesting credentials (Figure 1).
Upon entering the credentials, the victim is redirected to another page hosted in the same domain: https://miicarrid[.]co[.[jp.sdsfsee[.]top/login.php. This page asks the user to enter their MICARD card number and account details (Figure 2).
Upon entering the credentials, the victim is redirected to the legitimate MICARD website, micard.co.jp, which again asks the victim to enter credentials for authentication.
All the credentials entered by the victim are recorded during the redirection by the URL path “api.php?p=1” of the same phished page (Figure 3).
The phishing URL we analyzed for American Express is www1[.]amerxcanexpress[.]tp.bhisjcn[.]jp. Upon visiting this website from a Japanese IP address, the user is presented with a login page requesting credentials. The next stage of this attack goes through the same mechanisms to post the credentials as were used for the MICARD phishing page (Figure 4).
While analyzing the code, we noticed that the page was trying to load a style page (laydate.css) from the path “/admin/im/css/modules/laydate/default/laydate.css?v=5.3.1”. While this file failed to load, we decided to see what might be in the “/admin” path (Figure 5).
We then loaded the path “/admin” and got a possible control panel! Unfortunately, we weren’t able to access it during the time of analysis (Figure 6). This is the attacker panel that we assess to be a Chinese actor. The threat actor would be able to log in and see the submitted credentials and possibly other information.
During our analysis, we identified the several phishing domains of the targeted brands hosted on these four IP addresses:
It is likely that the same attacker is reusing the same attack TTPs to create the phishing pages, or is using a phishing kit for the targeted brands. Three TLDs — club, jp, and top — were used by the domains resolving to the IP address from June 2022. The most exclusively used TLD in the attacker infrastructure was “top” (Figure 7).
Some of the interesting findings, commonalities, and observations in our research are:
Another curious item we noticed is that one of the domains, www2[.]shinseiclub[.]com.famerucarf1[.]jp, changed a couple of times over the course of analysis (Figure 8).
It started as an online service login page for a credit card issued by APLUS, a company of Shinsei Bank, but it ended up as an American Express site (Figure 9).
Based on the intelligence and the TTPs gathered, we assess with moderate confidence that the threat actor is of Chinese origin. The threat actor is likely to add more targeted brands alongside MICARD and American Express.
Menlo Labs assesses that this threat actor will most likely keep creating new infrastructure and impersonating other brands as more phishing sites are identified and blocked. Menlo Labs recommends that users remain cautious when entering credentials on websites that arrive via email links or attachments. As a preventive measure, using two-factor or multi-factor authentication can provide an extra layer of security if the credentials are compromised.
209.141.51.134
209.141.44.114
45.81.5.197
45.86.70.157
miicarrid[.]co[.]jp[.]sdsfsee[.]top
miicarrid[.]co[.]jp[.]frruuy[.]top
mhuirrid[.]co[.]jp[.]tuuiyy[.]top
mdinsd[.]co[.]jp[.]gnjkg[.]top
mhuirrid[.]co[.]jp[.]ghbdc[.]top
miicarrid[.]co[.]jp[.]dhssu[.]top
miicarrid[.]co[.]jp[.]dfgtto[.]top
sanyuicare[.]co[.]jp[.]dozerov[.]top
mmiicard[.]co[.]jp[.]drampor[.]top
miicard22[.]co[.]jp[.]docmer[.]club
miioard[.]co[.]jp[.]dakejer[.]club
www2[.]miicard[.]co[.]jp[.]boweron[.]club
www2[.]miicard[.]co[.]jp[.]bredkmk[.]club
www2[.]americanexpres[.]com[.]cenmksl[.]club
www[.]ameriicanexprress[.]com[.]acemoer[.]club
www[.]micard[.]co[.]jp[.]cmerove[.]club
www[.]xgyufanexpres[.]tp[.]hjbwwj[.]jp
www[.]asetrxcanezxres[.]tp[.]cfdymtj[.]jp
www[.]xcerxcanexpres[.]tp[.]ncjsnf[.]jp
www[.]amerxcanezxres[.]tp[.]txjjzyzq[.]jp
www1[.]aenjrcanexpres[.]tp[.]bhuidanj[.]jp
www[.]amejrcanexpres[.]tp[.]emexecag[.]jp
www2[.]amerxcanexpres[.]tp[.]buycjso[.]jp
www[.]amerxcanexpres[.]tp[.]amesecad[.]jp
www1[.]amerxcanexpress[.]tp[.]bhisjcn[.]jp
www2[.]sinsebonk[.]com[.]bdsag[.]jp
www[.]sinsebonk[.]com[.]amercanmisecad[.]jp
yzkjc[.]co[.]jp[.]cfdymtj[.]top
eeqxcgh[.]co[.]jp[.]rdstna[.]top
yzkjc[.]co[.]jp[.]mthzsqk[.]top
ysrybx[.]co[.]jp[.]kjglhys[.]top
njswa[.]co[.]jp[.]sjdyr[.]top
kfqs[.]co[.]jp[.]bszya[.]top
xflsbw[.]co[.]jp[.]gedaz[.]top
tjjdry[.]co[.]jp[.]gdzsd[.]top
kfqs[.]co[.]jp[.]lqjgeqt[.]top
bxkqxz[.]co[.]jp[.]ghfgb[.]top
www2[.]americanexpress[.]jp[.]bdsjka[.]jp
www2[.]shinseiclub[.]com[.]famerucarf1[.]jp
www1[.]amaricanexpes[.]jp[.]fmicard88[.]top
www5[.]wibmiicard[.]co[.]jp[.]fmicard12[.]top
www[.]supper[.]ameriicanexpres[.]top