Organized Cybercrime Big in Japan: URLZone Now on the Scene

Four months after an organized cybercrime group started using the sophisticated Shifu Trojan against Japanese banks, IBM X-Force researchers reported on a second gang setting its sights on Japanese customers with the help of the Rovnix Trojan. Now, not a month later, a third well-known cybercrime group has moved to attack 14 major Japanese banks: The URLZone team.

In what’s marking a definite trend in cybercrime migration, the move of this third organized group to attack banks in Japan is a clear indication of an evolving fraud infrastructure in the country.

Why Target Japan?

Why are these organized crime groups spreading to Japan? In most cases of malware migration, cybercriminal groups with adequate resources are looking for easier money, less security and an element of surprise. They may be counting on all these factors to see more success in their attacks, especially as they target the less-aware Japanese customers who are not as experienced with encountering cybercrime as their Western counterparts.

Japan has enjoyed some protection from most cybercrime for many years because of its linguistic specificity. While fraudsters were easily able to translate texts into English, even if imperfect or lacking, the same task was trickier when it came to Japanese. Another aspect that kept most cybercriminal factions out of Japan is the likely lack of a local infrastructure for Web fraud, which would require money mule recruitment in Japanese and local rogues to help criminals understand the banking and payment systems.

Tools and building contacts in Japan would cost cybercriminals time and money; this is often an investment they could not or did not wish to afford. The smaller Trojan-operating factions from Eastern Europe typically attack locales in which they already have resources and may not invest in building tools and a localized team for fraud in a unique language zone such as Japan.

With organized crime in the pictures, the grace period for Japan has ended. Although other malware such as Tsukuba did target banks in the country, it was not until the launch of Shifu attacks that it became obvious Japan was in trouble. When it comes to organized cybercrime, Shifu’s operators laid the foundations for what came next.

One Size Fits All?

Why would a Trojan like Shifu pave the way for other attackers? According to information from actual attack campaigns, IBM X-Force researchers noted that organized cybercrime gangs share resources and buy tools from one another or from the same black-hat vendors.

Once Shifu’s group had the infection scheme set up to attack in Japanese, as well as webinjections and localized knowledge about banks in the country, much of the work was already done for other gangs who could now invest in entering the new turf. Unfortunately, cybercrime is a thriving business, and gangs are out there to make money, sometimes in furtive collaborations with one another.

Take, for example, the Rovnix Trojan. When this malware began attacking in Japan in December 2015, it unsurprisingly opted to infected users with email spam and not its usual malvertising or drive-by downloads. This is the same way Shifu infected victims in Japan.

There are other similarities beyond using emails in Japanese. Rovnix’s developers seemed to draw on Shifu’s existing attack schemes and webinjections, perhaps by analyzing them and then applying some additional elements. These tactics are not a rarity: In October 2015, IBM X-Force researchers noted that Dridex was emulating some of Shifu’s attacks in the U.K., and Shifu was using the same webinjections deployed by Neverquest.

Read the rest of this post here