Scammers impersonating National Tax Agency to steal V-Preca Card details
During our routine threat-hunting exercise, Cyble Research & Intelligence Labs (CRIL) came across a Twitter post wherein a researcher mentioned a new phishing campaign imitating the page of the National Tax Agency, which targets Japanese users by tricking users into sharing sensitive information with Threat Actors (TAs).
Technical Analysis
Initially, the TAs cloned the legitimate National Tax Agency website and used a typo-squatted domain name to trick users into visiting their phishing website. The below figure shows the difference between fake and legitimate websites of the National Tax Agency.
Upon visiting the fake site, users are shown false information alerts such as “Final notice of seizure,” reminding the user to pay any unpaid income tax. Additionally, the TAs threaten the victims stating that their real estate, automobiles, and other registered properties, salaries, and accounts receivable will be seized if they do not pay the tax by the designated deadline.
The below figure shows the translated phishing website’s false pop-up message.
After clicking the “to payment” button in the pop-up message, users are redirected to the new URL hxxps://ntagoi-jp[.]qgvvtoq[.]cn/884412781[.]php. Users are then prompted to enter their Personally Identifiable Information (PII), such as email address, phone number, and name, allowing them to select the payment method for the transaction.
By default, the “Electronic money (v Preca issuing code)” payment method is enabled, and other methods, such as credit card, internet banking, etc., are disabled permanently.
This indicates that the TAs force the victims to pay through the “Electronic money (v Preca issuing code)” only, as shown below.
When the user clicks the “to the next” button after entering their personal details, the fake website further steals their details and sends them to a URL hxxps://ntagoi-jp[.]qgvvtoq[.]cn/putinfo[.]php.
The phishing site also redirects the user to a URL hxxps://ntagoi-jp[.]qgvvtoq[.]cn/374043132[.]php, which displays another page as shown below.
The new page allows victims to enter the “V-Preca (Internet-only Visa Prepaid Card) “details for the transaction, indicating that this campaign targets only V-Preca card details that have been purchased already.
When a user clicks the “Proceed to Payment” button, the phishing site collects and sends the card details to a URL hxxps://ntagoi-jp[.]qgvvtoq[.]cn/putcard[.]php after which, it redirects the victim to the URL hxxps://ntagoi-jp[.]qgvvtoq[.]cn/687457083[.]php.
The figure below depicts the new page shown to victims.
This page asks victims to upload a photo of their ticket (in .jpeg format), which was received while purchasing their V-Preca card.
When the user clicks the “to the next” button, it sends the uploaded images to the URL hxxps://ntagoi-jp[.]qgvvtoq[.]cn/putimg[.]php.
It then redirects victims to the legitimate “National Tax Agency” site after displaying a “payment completed” message, as shown in the figure below.
Using this ticket information along with stolen card details, TAs can easily steal money from their victims. The below figure shows the generated URL for the uploaded .jpeg image before it is shared with the TA.
FakeCop Distributing via Fake National Tax Agency Smishing Campaign
Additionally, CRIL identified a seprate smishing campaign where the TAs send phishing SMSs to Japanese citizens pretending to be legitimate messages from the National Tax Agency. The smishing message contains the text “[National Tax Agency] Please be sure to read this important notice. hxxps://cutt[.]ly/YXZfAMP“.
When the user opens the phishing link on their Android device, the short URL redirects the user to a fake AU website. AU is a mobile phone operator based out of Japan.
Then the phishing site deceives the user into downloading a malicious APK masquerading as an AU mobile security application provided by KDDI Corporation.
If the victim opens the short URL on an iPhone, the link redirects the victim to the fake National Tax Agency website. The fake site then asks the victim for a 40,000 Yen income tax payment and warns them to make this payment before the deadline to avoid seizure of registered properties.
The detailed investigation of the malware and it’s associated campaign leads us to believe that Roaming Mantis is a TA operating out of China, running this smishing campaign, and distributing the FakeCop Android malware variant.
We have observed over 20,000 malicious samples in the last 3 months related to this smishing campaign, indicating that the TA is actively attacking Japan.
Technical Analysis
APK Metadata Information  
- App Name: KDDIã‚»ã‚ュリティ
- Package Name: ijaidjefeed.jeifjaadefe.bigbdbdbebf
- SHA256 Hash: 14fff9319b49ed4cc6e4141f3e894106b2e2b22bc31bf8a9847db1b65a552188
  
The below figure shows the metadata information of the application. 
Manifest Description 
The harmful permissions requested by the malware are: 
| Permission | Description |
| RECEIVE_SMS | Allows an application to receive SMS messages |
| READ_SMS | Access phone messages |
| SEND_SMS | Allows an application to send SMS messages |
| READ_CONTACTS | Allows an application to read the user’s contacts data |
| CALL_PHONE | Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. |
| GET_ACCOUNTS | Allows access to the list of accounts in the Accounts Service. |
Source Code Review 
The downloaded malicious application pretends to be the AU mobile security application developed by KDDI to appear genuine.
The malware receives commands from the server and collects sensitive data such as contact lists, SMS data, installed application data, and other data from an infected device.
Cyble Research & Intelligence Labs has analyzed the FakeCop variant in the past, where the TA used a different smishing theme to lure victims into downloading malicious apps.
The malware connects to a proxy URL hxxp://220105[.]top and then receives the Command and Control (C&C) server URL for further communication.
Apart from collecting sensitive information, the malware sends an SMS from an infected device to the mobile number received from the server. The TA could then use this functionality to spread malware resulting in the infection of even more devices.
Additionally, the malware further deletes SMSs from infected devices to avoid being noticed by the victim.
Conclusion
Phishing is a common tactic leveraged by TAs to steal personal and financial information. We have recently observed TAs becoming increasingly sophisticated in their phishing campaigns. Falling prey to a phishing scam can lead to financial consequences for the users as well as the possibility of identity fraud.
At Cyble, we believe that the best method to avoid falling victim to phishing campaigns is to exercise caution while opening any messages asking you to reveal personal information – no matter how legitimate that message may appear at first glance.
Cyble Research & Intelligence Labs actively monitors new malicious phishing campaigns to keep our readers updated with our latest findings about phishing and other types of data-stealing attacks.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  
How to prevent malware infection?
- Download and install software only from official app stores like Play Store or the iOS App Store.
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
How to identify whether you are infected?
- Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
- Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.
What to do when you are infected?
- Disable Wi-Fi/Mobile data and remove SIM cards – as in some cases, the malware can re-enable the Mobile Data.
- Perform a factory reset.
- Remove the application in case a factory reset is not possible.
- Take a backup of personal media Files (excluding mobile applications) and perform a device reset.
What to do in case of any fraudulent transaction?
- In case of a fraudulent transaction, immediately report it to the concerned bank.
What should banks do to protect their customers?
- Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1476 T1444 | Deliver Malicious App via Other Means Masquerade as Legitimate Application |
| Persistence | T1402 | Broadcast Receivers |
| Credential Access | T1417 | Input Capture |
| Collection | T1412 T1432 T1533 | Capture SMS Messages Access Contacts List Data from Local System |
| Impact | T1447 | Delete Device Data |
| Command and Control | T1071 | Application Layer Protocol |
| Exfiltration | T1567 | Exfiltration Over Web Service |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 14fff9319b49ed4cc6e4141f3e894106b2e2b22bc31bf8a9847db1b65a552188 | SHA256 | Hash of the analyzed APK file |
| 1691d547980d2c8faa929301c3a6aa6d958b9389 | SHA1 | Hash of the analyzed APK file |
| 8b6c4fea9e4a6d8761c1c53525a91374 | MD5 | Hash of the analyzed APK file |
| hxxp//220105[.]top | URL | Proxy server |
| hxxp://192.186.11[.]120:6666 | URL | C&C server |
| hxxps://ntagoi-jp[.]qgvvtoq[.]cn | URL | phishing domain |
| hxxps://ntagoi-jp[.]qgvvtoq[.]cn/884412781[.]php | URL | Redirected phishing page |
| hxxps://ntagoi-jp[.]qgvvtoq[.]cn/putinfo[.]php | URL | Redirected phishing page |
| hxxps://ntagoi-jp[.]qgvvtoq[.]cn/374043132[.]php | URL | Redirected phishing page |
| hxxps://ntagoi-jp[.]qgvvtoq[.]cn/putcard[.]php | URL | Redirected phishing page |
| hxxps://ntagoi-jp[.]qgvvtoq[.]cn/687457083[.]php | URL | Redirected phishing page |
| hxxps://ntagoi-jp[.]qgvvtoq[.]cn/putimg[.]php | URL | Redirected phishing page |
| hxxps://ntagoi-jp[.]tifrrqf[.]cn hxxps://ntagoi-jp[.]tljkcnk[.]cn hxxps://ntagoi-jp[.]vsdevro[.]cn hxxps://ntagoi-jp[.]pnivgtj[.]cn hxxps://ntagoi-jp[.]ucposea[.]cn hxxps://ntagoi-jp[.]pjeypfs[.]cn hxxps://ntagoi-jp[.]cfrpnsp[.]cn hxxps://ntagoi-jp[.]xdwgnec[.]cn hxxps://ntagoi-jp[.]dgrrg[.]cn hxxps://ntagoi-jp[.]asdnwp[.]cn hxxps://ntagoi-jp[.]untltxa[.]cn hxxps://ntagoi-jp[.]rpvrvwt[.]cn hxxps://ntagoi-jp[.]pthrfl[.]cn hxxps://ntagoi-jp[.]jgrweuh[.]cn hxxps://ntagoi-jp[.]yozazfs[.]cn hxxps://ntagoi-jp[.]ruilibath[.]cn hxxps://ntagoi-jp[.]grimryc[.]cn hxxps://ntagoi-jp[.]juhyjkm[.]cn hxxps://ntagoi-jp[.]fatvplv[.]cn hxxps://ntagoi-jp[.]ehxsrai[.]cn hxxps://ntagoi-jp[.]czecnbl[.]cn hxxps://ntagoi-jp[.]wzxiner[.]cn hxxps://ntagoi-jp[.]zwwfrsd[.]cn hxxps://ntagoi-jp[.]cdkkfrh[.]cn hxxps://ntagoi-jp[.]sasqblz[.]cn hxxps://ntagoi-jp[.]vdyyltb[.]cn hxxps://ntagoi-jp[.]cvnuxs[.]cn hxxps://ntagoi-jp[.]hpvyznj[.]cn hxxps://ntagoi-jp[.]hcrkrz[.]cn hxxps://ntagoi-jp[.]dudmbrb[.]cn hxxps://ntagoi-jp[.]jpty0uj[.]cn hxxps://ntagoi-jp[.]ltzdir[.]cn hxxps://ntagoi-jp[.]orbiz[.]cn hxxps://ntagoi-jp[.]vbcrck[.]cn hxxps://ntagoi-jp[.]ggumnbm[.]cn hxxps://ntagoi-jp[.]ppocxuc[.]cn hxxps://ntagoi-jp[.]ckai3aw[.]cn hxxps://ntagoi-jp[.]aytdawp[.]cn hxxps://ntagoi-jp[.]mhmpwg[.]cn hxxps://ntagoi-jp[.]uqotjhs[.]cn hxxps://ntagoi-jp[.]ceqlkh[.]cn hxxps://ntagoi-jp[.]rtkiruf[.]cn hxxps://ntagoi-jp[.]ulaqajm[.]cn hxxps://ntagoi-jp[.]wjiw08[.]cn hxxps://ntagoi-jp[.]zyetcmu[.]cn hxxps://ntagoi-jp[.]r3ae0e[.]cn hxxps://ntagoi-jp[.]x4zyz4[.]cn | URL | Similar phishing domains |
