Organized Cybercrime Big in Japan: URLZone Now on the Scene
Four
months after an organized cybercrime group started using the sophisticated
Shifu Trojan against Japanese banks, IBM X-Force researchers reported on a
second gang setting its sights on Japanese customers with the help of the
Rovnix Trojan. Now, not a month later, a third well-known cybercrime group has
moved to attack 14 major Japanese banks: The URLZone team.
In
what’s marking a definite trend in cybercrime migration, the move of this third
organized group to attack banks in Japan is a clear indication of an evolving
fraud infrastructure in the country.
Why Target Japan?
Why are
these organized crime groups spreading to Japan? In most cases of malware
migration, cybercriminal groups with adequate resources are looking for easier
money, less security and an element of surprise. They may be counting on all
these factors to see more success in their attacks, especially as they target
the less-aware Japanese customers who are not as experienced with encountering
cybercrime as their Western counterparts.
Japan
has enjoyed some protection from most cybercrime for many years because of its
linguistic specificity. While fraudsters were easily able to translate texts
into English, even if imperfect or lacking, the same task was trickier when it
came to Japanese. Another aspect that kept most cybercriminal factions out of
Japan is the likely lack of a local infrastructure for Web fraud, which would
require money mule recruitment in Japanese and local rogues to help criminals
understand the banking and payment systems.
Tools
and building contacts in Japan would cost cybercriminals time and money; this
is often an investment they could not or did not wish to afford. The smaller
Trojan-operating factions from Eastern Europe typically attack locales in which
they already have resources and may not invest in building tools and a
localized team for fraud in a unique language zone such as Japan.
With
organized crime in the pictures, the grace period for Japan has ended. Although
other malware such as Tsukuba did target banks in the country, it was not until
the launch of Shifu attacks that it became obvious Japan was in trouble. When
it comes to organized cybercrime, Shifu’s operators laid the foundations for
what came next.
One Size Fits All?
Why
would a Trojan like Shifu pave the way for other attackers? According to
information from actual attack campaigns, IBM X-Force researchers noted that
organized cybercrime gangs share resources and buy tools from one another or
from the same black-hat vendors.
Once
Shifu’s group had the infection scheme set up to attack in Japanese, as well as
webinjections and localized knowledge about banks in the country, much of the
work was already done for other gangs who could now invest in entering the new
turf. Unfortunately, cybercrime is a thriving business, and gangs are out there
to make money, sometimes in furtive collaborations with one another.
Take,
for example, the Rovnix Trojan. When this malware began attacking in Japan in
December 2015, it unsurprisingly opted to infected users with email spam and
not its usual malvertising or drive-by downloads. This is the same way Shifu
infected victims in Japan.
There
are other similarities beyond using emails in Japanese. Rovnix’s developers
seemed to draw on Shifu’s existing attack schemes and webinjections, perhaps by
analyzing them and then applying some additional elements. These tactics are
not a rarity: In October 2015, IBM X-Force researchers noted that Dridex was
emulating some of Shifu’s attacks in the U.K., and Shifu was using the same
webinjections deployed by Neverquest.
Read the
rest of this post here
Comments
Post a Comment