Cyble-Japanese-taxpayers-Phishing

Phishing Campaign targets Japanese tax payers

Scammers impersonating National Tax Agency to steal V-Preca Card details

During our routine threat-hunting exercise, Cyble Research & Intelligence Labs (CRIL) came across a Twitter post wherein a researcher mentioned a new phishing campaign imitating the page of the National Tax Agency, which targets Japanese users by tricking users into sharing sensitive information with Threat Actors (TAs).

Technical Analysis

Initially, the TAs cloned the legitimate National Tax Agency website and used a typo-squatted domain name to trick users into visiting their phishing website. The below figure shows the difference between fake and legitimate websites of the National Tax Agency.

Figure 1 – Fake and Legitimate websites of the “National Tax Agency”

Upon visiting the fake site, users are shown false information alerts such as “Final notice of seizure,” reminding the user to pay any unpaid income tax. Additionally, the TAs threaten the victims stating that their real estate, automobiles, and other registered properties, salaries, and accounts receivable will be seized if they do not pay the tax by the designated deadline.

The below figure shows the translated phishing website’s false pop-up message.

Figure 2 – False pop-up message

After clicking the “to payment” button in the pop-up message, users are redirected to the new URL hxxps://ntagoi-jp[.]qgvvtoq[.]cn/884412781[.]php. Users are then prompted to enter their Personally Identifiable Information (PII), such as email address, phone number, and name, allowing them to select the payment method for the transaction.

By default, the “Electronic money (v Preca issuing code)” payment method is enabled, and other methods, such as credit card, internet banking, etc., are disabled permanently.

This indicates that the TAs force the victims to pay through the “Electronic money (v Preca issuing code)” only, as shown below.

Figure 3 – Final notice of seizure and payment method

When the user clicks the “to the next” button after entering their personal details, the fake website further steals their details and sends them to a URL hxxps://ntagoi-jp[.]qgvvtoq[.]cn/putinfo[.]php.

The phishing site also redirects the user to a URL hxxps://ntagoi-jp[.]qgvvtoq[.]cn/374043132[.]php, which displays another page as shown below.  

Figure 4 – Sending victim’s personal details to the TA

The new page allows victims to enter the “V-Preca (Internet-only Visa Prepaid Card) “details for the transaction, indicating that this campaign targets only V-Preca card details that have been purchased already.

When a user clicks the “Proceed to Payment” button, the phishing site collects and sends the card details to a URL hxxps://ntagoi-jp[.]qgvvtoq[.]cn/putcard[.]php after which, it redirects the victim to the URL hxxps://ntagoi-jp[.]qgvvtoq[.]cn/687457083[.]php.

The figure below depicts the new page shown to victims.

Figure 5 – V-Preca ticket photo document upload page

This page asks victims to upload a photo of their ticket (in .jpeg format), which was received while purchasing their V-Preca card.

When the user clicks the “to the next” button, it sends the uploaded images to the URL hxxps://ntagoi-jp[.]qgvvtoq[.]cn/putimg[.]php.

It then redirects victims to the legitimate “National Tax Agency” site after displaying a “payment completed” message, as shown in the figure below.

Figure 6 – Payment completed page & Legitimate site redirection

Using this ticket information along with stolen card details, TAs can easily steal money from their victims. The below figure shows the generated URL for the uploaded .jpeg image before it is shared with the TA.

Figure 7 – Sending uploaded images of V-Preca tickets to TA

FakeCop Distributing via Fake National Tax Agency Smishing Campaign

Additionally, CRIL identified a seprate smishing campaign where the TAs send phishing SMSs to Japanese citizens pretending to be legitimate messages from the National Tax Agency. The smishing message contains the text “[National Tax Agency] Please be sure to read this important notice. hxxps://cutt[.]ly/YXZfAMP“.

Figure 8 – National tax Agency Smishing Campaign (Twitter)

When the user opens the phishing link on their Android device, the short URL redirects the user to a fake AU website. AU is a mobile phone operator based out of Japan.

Then the phishing site deceives the user into downloading a malicious APK masquerading as an AU mobile security application provided by KDDI Corporation.

If the victim opens the short URL on an iPhone, the link redirects the victim to the fake National Tax Agency website. The fake site then asks the victim for a 40,000 Yen income tax payment and warns them to make this payment before the deadline to avoid seizure of registered properties.

The detailed investigation of the malware and it’s associated campaign leads us to believe that Roaming Mantis is a TA operating out of China, running this smishing campaign, and distributing the FakeCop Android malware variant.

We have observed over 20,000 malicious samples in the last 3 months related to this smishing campaign, indicating that the TA is actively attacking Japan.

Technical Analysis

APK Metadata Information   

  • App Name: KDDIセキュリティ
  • Package Name: ijaidjefeed.jeifjaadefe.bigbdbdbebf
  • SHA256 Hash: 14fff9319b49ed4cc6e4141f3e894106b2e2b22bc31bf8a9847db1b65a552188

   

The below figure shows the metadata information of the application.  

Figure 9  – App Metadata Information 

Manifest Description 

The harmful permissions requested by the malware are:  

Permission  Description 
RECEIVE_SMSAllows an application to receive SMS messages
READ_SMSAccess phone messages
SEND_SMSAllows an application to send SMS messages
READ_CONTACTSAllows an application to read the user’s contacts data
CALL_PHONEAllows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call.
GET_ACCOUNTSAllows access to the list of accounts in the Accounts Service.

Source Code Review  

The downloaded malicious application pretends to be the AU mobile security application developed by KDDI to appear genuine.

Figure 10 – Malware pretending to be AU mobile security app

The malware receives commands from the server and collects sensitive data such as contact lists, SMS data, installed application data, and other data from an infected device.

Cyble Research & Intelligence Labs has analyzed the FakeCop variant in the past, where the TA used a different smishing theme to lure victims into downloading malicious apps.

The malware connects to a proxy URL hxxp://220105[.]top and then receives the Command and Control (C&C) server URL for further communication.

Figure 11 – Proxy URL fetching the C&C server

Apart from collecting sensitive information, the malware sends an SMS from an infected device to the mobile number received from the server. The TA could then use this functionality to spread malware resulting in the infection of even more devices.

Additionally, the malware further deletes SMSs from infected devices to avoid being noticed by the victim.

Figure 12 – Malware sending and deleting SMS from an infected device

Conclusion

Phishing is a common tactic leveraged by TAs to steal personal and financial information. We have recently observed TAs becoming increasingly sophisticated in their phishing campaigns. Falling prey to a phishing scam can lead to financial consequences for the users as well as the possibility of identity fraud.

At Cyble, we believe that the best method to avoid falling victim to phishing campaigns is to exercise caution while opening any messages asking you to reveal personal information – no matter how legitimate that message may appear at first glance.

Cyble Research & Intelligence Labs actively monitors new malicious phishing campaigns to keep our readers updated with our latest findings about phishing and other types of data-stealing attacks.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:   

How to prevent malware infection? 

  • Download and install software only from official app stores like Play Store or the iOS App Store. 
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices. 
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible. 
  • Be wary of opening any links received via SMS or emails delivered to your phone. 
  • Ensure that Google Play Protect is enabled on Android devices. 
  • Be careful while enabling any permissions. 
  • Keep your devices, operating systems, and applications updated. 

How to identify whether you are infected? 

  • Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices. 
  • Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly. 

What to do when you are infected? 

  • Disable Wi-Fi/Mobile data and remove SIM cards – as in some cases, the malware can re-enable the Mobile Data. 
  • Perform a factory reset. 
  • Remove the application in case a factory reset is not possible. 
  • Take a backup of personal media Files (excluding mobile applications) and perform a device reset. 

What to do in case of any fraudulent transaction? 

  • In case of a fraudulent transaction, immediately report it to the concerned bank. 

What should banks do to protect their customers? 

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails. 

MITRE ATT&CK® Techniques 

TacticTechnique IDTechnique Name
Initial AccessT1476
T1444
Deliver Malicious App via Other Means
Masquerade as Legitimate Application
PersistenceT1402Broadcast Receivers
Credential Access T1417Input Capture
CollectionT1412
T1432
T1533
Capture SMS Messages
Access Contacts List
Data from Local System
ImpactT1447Delete Device Data
Command and ControlT1071Application Layer Protocol
ExfiltrationT1567Exfiltration Over Web Service

Indicators of Compromise (IOCs) 

IndicatorsIndicator TypeDescription
14fff9319b49ed4cc6e4141f3e894106b2e2b22bc31bf8a9847db1b65a552188SHA256Hash of the analyzed APK file
1691d547980d2c8faa929301c3a6aa6d958b9389SHA1Hash of the analyzed APK file 
8b6c4fea9e4a6d8761c1c53525a91374MD5Hash of the analyzed APK file
hxxp//220105[.]topURLProxy server
hxxp://192.186.11[.]120:6666URLC&C server
hxxps://ntagoi-jp[.]qgvvtoq[.]cnURLphishing domain
hxxps://ntagoi-jp[.]qgvvtoq[.]cn/884412781[.]phpURLRedirected
phishing page
hxxps://ntagoi-jp[.]qgvvtoq[.]cn/putinfo[.]phpURLRedirected
phishing page
hxxps://ntagoi-jp[.]qgvvtoq[.]cn/374043132[.]phpURLRedirected
phishing page
hxxps://ntagoi-jp[.]qgvvtoq[.]cn/putcard[.]phpURLRedirected
phishing page
hxxps://ntagoi-jp[.]qgvvtoq[.]cn/687457083[.]phpURLRedirected
phishing page
hxxps://ntagoi-jp[.]qgvvtoq[.]cn/putimg[.]phpURLRedirected
phishing page
hxxps://ntagoi-jp[.]tifrrqf[.]cn
hxxps://ntagoi-jp[.]tljkcnk[.]cn
hxxps://ntagoi-jp[.]vsdevro[.]cn
hxxps://ntagoi-jp[.]pnivgtj[.]cn
hxxps://ntagoi-jp[.]ucposea[.]cn
hxxps://ntagoi-jp[.]pjeypfs[.]cn
hxxps://ntagoi-jp[.]cfrpnsp[.]cn
hxxps://ntagoi-jp[.]xdwgnec[.]cn
hxxps://ntagoi-jp[.]dgrrg[.]cn
hxxps://ntagoi-jp[.]asdnwp[.]cn
hxxps://ntagoi-jp[.]untltxa[.]cn
hxxps://ntagoi-jp[.]rpvrvwt[.]cn
hxxps://ntagoi-jp[.]pthrfl[.]cn
hxxps://ntagoi-jp[.]jgrweuh[.]cn
hxxps://ntagoi-jp[.]yozazfs[.]cn
hxxps://ntagoi-jp[.]ruilibath[.]cn
hxxps://ntagoi-jp[.]grimryc[.]cn
hxxps://ntagoi-jp[.]juhyjkm[.]cn
hxxps://ntagoi-jp[.]fatvplv[.]cn
hxxps://ntagoi-jp[.]ehxsrai[.]cn
hxxps://ntagoi-jp[.]czecnbl[.]cn
hxxps://ntagoi-jp[.]wzxiner[.]cn
hxxps://ntagoi-jp[.]zwwfrsd[.]cn
hxxps://ntagoi-jp[.]cdkkfrh[.]cn
hxxps://ntagoi-jp[.]sasqblz[.]cn
hxxps://ntagoi-jp[.]vdyyltb[.]cn
hxxps://ntagoi-jp[.]cvnuxs[.]cn
hxxps://ntagoi-jp[.]hpvyznj[.]cn
hxxps://ntagoi-jp[.]hcrkrz[.]cn
hxxps://ntagoi-jp[.]dudmbrb[.]cn
hxxps://ntagoi-jp[.]jpty0uj[.]cn
hxxps://ntagoi-jp[.]ltzdir[.]cn
hxxps://ntagoi-jp[.]orbiz[.]cn
hxxps://ntagoi-jp[.]vbcrck[.]cn
hxxps://ntagoi-jp[.]ggumnbm[.]cn
hxxps://ntagoi-jp[.]ppocxuc[.]cn
hxxps://ntagoi-jp[.]ckai3aw[.]cn
hxxps://ntagoi-jp[.]aytdawp[.]cn
hxxps://ntagoi-jp[.]mhmpwg[.]cn
hxxps://ntagoi-jp[.]uqotjhs[.]cn
hxxps://ntagoi-jp[.]ceqlkh[.]cn
hxxps://ntagoi-jp[.]rtkiruf[.]cn
hxxps://ntagoi-jp[.]ulaqajm[.]cn
hxxps://ntagoi-jp[.]wjiw08[.]cn
hxxps://ntagoi-jp[.]zyetcmu[.]cn
hxxps://ntagoi-jp[.]r3ae0e[.]cn
hxxps://ntagoi-jp[.]x4zyz4[.]cn
URLSimilar
phishing domains
Scroll to Top