Cybercriminals hijacked Japanese securities accounts, leading to over 3,500 fraudulent stock transactions and losses exceeding ¥300 billion from January to April 2025. Through analysis of phishing-related domains and emails, researchers uncovered thousands of connected domains, including those weaponized for phishing attacks targeting stock owners. #JapaneseStockFraud #PhishingDomains
Keypoints
- More than 3,500 fraudulent stock transactions were recorded in Japan from January to April 2025, causing losses over ¥300 billion.
- Seven initial phishing domains were identified as indicators of compromise related to securities account hijacking.
- Researchers used domain and DNS intelligence to uncover 36 registrant-connected domains, 7,437 email-connected domains, seven string-connected domains, 609 algorithmically found look-alike domains, and 47,232 look-alike domains from wider time frames.
- Phishing domains were newly registered between 2024 and 2025 and administered by registrars like Alibaba and Gname.com; some domains shared registrant details, indicating linkage.
- Out of 7,437 email-connected domains, 267 have been confirmed malicious and involved in phishing activity targeting stock owners.
- Ten phishing email domains related to the campaign were analyzed, revealing variable registration dates, multiple registrars including GoDaddy, and registrations mainly in the U.S., China, and India.
- Analysis of 44 masked phishing URLs identified additional malicious domains linked to finance-themed phishing attacks, supported by data from First Watch Malicious Domains Data Feed.
MITRE Techniques
- [T1566] Phishing – Used phishing domains and emails to steal credentials and hijack Japanese securities accounts, enabling fraudulent stock sales. (“phishing kit,” “phishing emails,” “domains were weaponized for attacks”)
- [T1583] Acquire Infrastructure – Attackers registered and managed thousands of new domains, some connected by registrant or email addresses to enable phishing campaigns. (“They were created between 2024 and 2025,” “administrated by registrars,” “registrant-connected domains”)
- [T1598] Phishing via Domain Spoofing – Deployment of look-alike domains and string-connected domains to deceive stock owners and facilitate credential theft. (“609 look-alike domains,” “seven string-connected domains”)
Indicators of Compromise
- [Domains] Phishing initial IoCs – evrryday[.]com, uhlkg[.]cn, zjkso[.]cn
- [Domains] Registrant-connected and email-connected domains – 36 registrant-connected domains, 7,437 email-connected domains including 015441[.]cn and b1wiv[.]cn (267 confirmed malicious)
- [Domains] Phishing email domains – cyoa[.]com, tmjs[.]net, shoken_nikko[.]cn
- [URLs] Masked phishing URLs – sbiisec****.com, sb-auth****.cloud, sec-sbi**.com among others linked to fraudulent login pages