Find the right approach to browser security
Traditional security approaches are flawed, costly, and overwhelming for security teams. Menlo Security is different. It’s the simplest, most definitive way to secure work—making online threats irrelevant to your users and your business.
Our platform invisibly protects users wherever they go online. So threats are history and the alert storm is over.
Traditional network security wasn’t built to address today’s complex enterprise environments. SASE fixes that problem.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise. The collective is made up of elite security researchers that put a spotlight on the threats you know and don’t know about.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise.
Menlo Labs | Jul 26, 2022
Share this article
The Menlo Labs research team recently analyzed a malicious infrastructure carrying out phishing attacks against Japanese MICARD and American Express users. The threat actor behind this infrastructure is actively spinning up new domains and websites with the same attack Tactics, Techniques, and Procedures (TTPs). We assess with moderate confidence that the threat actor is of Chinese origin; additional details are found later in the article (Figure 6).
Based on our research and OSINT (Open Source Intelligence) analysis, the initial vector of these attacks is an email with a link that directs the intended target to the phished page. We even came across an advisory and guidance from MICARD informing its users to be cautious of phishing emails impersonating their brand.
The brands that were targeted by the threat actor were MICARD and American Express. The MICARD phishing pages used the geofencing technique to allow only Japanese IPs to access the website. We detail the working of these phishing pages associated with the targeted brands below.
The phishing URL targeting the MICARD page we analyzed was miicarrid[.]co[.]jp.sdsfsee[.]top. Upon visiting this website from a Japanese IP address, the user is presented with a login page requesting credentials (Figure 1).
Upon entering the credentials, the victim is redirected to another page hosted in the same domain: https://miicarrid[.]co[.[jp.sdsfsee[.]top/login.php. This page asks the user to enter their MICARD card number and account details (Figure 2).
Upon entering the credentials, the victim is redirected to the legitimate MICARD website, micard.co.jp, which again asks the victim to enter credentials for authentication.
All the credentials entered by the victim are recorded during the redirection by the URL path “api.php?p=1” of the same phished page (Figure 3).
The phishing URL we analyzed for American Express is www1[.]amerxcanexpress[.]tp.bhisjcn[.]jp. Upon visiting this website from a Japanese IP address, the user is presented with a login page requesting credentials. The next stage of this attack goes through the same mechanisms to post the credentials as were used for the MICARD phishing page (Figure 4).
While analyzing the code, we noticed that the page was trying to load a style page (laydate.css) from the path “/admin/im/css/modules/laydate/default/laydate.css?v=5.3.1”. While this file failed to load, we decided to see what might be in the “/admin” path (Figure 5).
We then loaded the path “/admin” and got a possible control panel! Unfortunately, we weren’t able to access it during the time of analysis (Figure 6). This is the attacker panel that we assess to be a Chinese actor. The threat actor would be able to log in and see the submitted credentials and possibly other information.
During our analysis, we identified the several phishing domains of the targeted brands hosted on these four IP addresses:
It is likely that the same attacker is reusing the same attack TTPs to create the phishing pages, or is using a phishing kit for the targeted brands. Three TLDs — club, jp, and top — were used by the domains resolving to the IP address from June 2022. The most exclusively used TLD in the attacker infrastructure was “top” (Figure 7).
Some of the interesting findings, commonalities, and observations in our research are:
Another curious item we noticed is that one of the domains, www2[.]shinseiclub[.]com.famerucarf1[.]jp, changed a couple of times over the course of analysis (Figure 8).
It started as an online service login page for a credit card issued by APLUS, a company of Shinsei Bank, but it ended up as an American Express site (Figure 9).
Based on the intelligence and the TTPs gathered, we assess with moderate confidence that the threat actor is of Chinese origin. The threat actor is likely to add more targeted brands alongside MICARD and American Express.
Menlo Labs assesses that this threat actor will most likely keep creating new infrastructure and impersonating other brands as more phishing sites are identified and blocked. Menlo Labs recommends that users remain cautious when entering credentials on websites that arrive via email links or attachments. As a preventive measure, using two-factor or multi-factor authentication can provide an extra layer of security if the credentials are compromised.
Posted by Menlo Labs on Jul 26, 2022
Tagged with Awareness, HEAT, Menlo Labs, RBI, Threat Trends, Web Security
Threat Trends & Research
To talk to a Menlo Security expert, please complete the form.