JPCERT/CC Eyes

JPCERT/CC received 44,242 incident reports in 2021 and of that 23,104 were related to phishing sites. Based on the reported information, this article details the number of reports, the proportions of spoofed brands by industry and the trends in domain used for phishing sites.

Phishing sites in this article refer to unauthorised websites that are designed to steal credentials and other information by spoofing legitimate brands. Some of the reported phishing sites include those being spread via SMSs in addition to emails.

Trend in the Number of Reported Phishing Sites and Its Ratio by Industry

Figure 1 is a monthly trend in the number of reported phishing sites in 2021. From January to July, there were less than 2,000 cases per month, but from around August, the number of cases continued to exceed 2,000. This is partly due to an increase in reports of phishing sites pretending to be Amazon and ETC (Electronic Toll System) usage inquiry service websites.

Figure 2 shows a monthly trend and breakdown of reported phishing sites by industry based on all reported URLs.

In 2021, phishing sites spoofing financial institution brands accounted for 31% of all phishing sites, followed by spoofing communication carriers at 27%. A distinctive feature was a surge in phishing sites of government services with fewer than 30 reports from January to July each month and rising to 63 in August and 209 in September. Many of the reports were the phishing sites that disguised as the MIC (the Japanese Ministry of Internal Affairs and Communications)'s special cash handout website or the MHLW (the Japanese Ministry of Health, Labour and Welfare)'s COVID-19 vaccine navigation website.

Breakdown of TLDs (Top-Level Domains) Used for Phishing Sites

Figure 3 shows a monthly breakdown of reported phishing sites by gTLD and ccTLD.

While the majority of phishing sites use a gTLD, 22% of all sites use a ccTLD. ccTLD stands for “Country Code Top Level Domain”, which is allocated to and managed by each country. On the other hand, gTLD stands for “General Top Level Domain” and is allocated to service areas rather than countries. gTLD is possibly less restrictive in its use than ccTLD and is therefore more likely to be compromised as a phishing site.

Figures 4 and 5 illustrate the ratio of TLDs used for phishing sites, divided into gTLDs and ccTLDs.

Looking at the gTLD figure, the org domain accounted for the largest proportion (42%). This is because the services of dynamic DNS providers using org domains were leveraged to generate a number of phishing sites.

Amongst many ccTLDs, cn domain made up 69%, representing the largest share. To prevent further damage, JPCERT/CC is working with CNCERT/CC to request for actions from the administrator of a website hosting phishing contents and coordinate with the relevant domain registrar. The number of phishing sites with jp domains was the third highest.

Trend in jp Domains Used for Phishing Sites

It is common for attackers to compromise a website with a legitimate domain in order to place phishing contents. However, some of them acquire jp domains for the purpose of setting up phishing sites. These jp domains will be discussed later.

Figure 6 shows a monthly trend in phishing sites with jp domains.

Features of jp Domains Acquired for Setting Up Phishing Sites

There were multiple patterns in the jp domains used for phishing sites. JPCERT/CC confirmed the following features particularly in those domains registered within a month before phishing sites were identified.

1. Include brand names: e.g., aplusl.jp, saisons.jp
2. Exclude brand names: e.g., hsjhhfjk.jp, reihakls.jp
3. Include numbers in the second level domain: e.g., card020.jp, card030.jp
4. Replace one letter of the proper noun: e.g., registerb.jp, registerc.jp

Relation amongst jp Domains, Phishing Sites and Spoofed Brands

The following is three features of phishing sites using the jp domains acquired for developing phishing sites.

1. Use Brand Names in Subdomain

The first type includes a brand name in a subdomain. Table 1 lists the domains with different brands for each subdomain.

The word "card" in the domain name suggests that the attacker was attempting to impersonate a service or brand that provides card service containing personal information such as credit card or national identification number card. In this case, “smbc” (referring to a bank) and “rakuten” (referring to an e-commerce company) were added to each phishing site’s subdomain in order to impersonate different brands.

The intention of the attacker to register a domain may be to develop more phishing sites by adding the names of legitimate brands or services to the subdomain.

On the other hand, as indicated in Table 2, the jp domains which seem to have been originally registered to impersonate Rakuten were actually used to run phishing sites spoofing MIC’s special cash handout websites. This can be confirmed by the fact that the subdomain “soumui” (the string in Japanese that appears to be associated with MIC, the Ministry of Internal Affairs and Communications) was added to these domains.

2. Fix the String of Subdomain

The second type fixes the string of subdomains, replaces a single character in the domain name and runs multiple phishing sites as shown in Table 3.

The browser of computer or smartphone shows the website address from the left, and the address on the right may not be displayed depending on the display size. Attackers may aim to run multiple phishing sites that mislead users by registering a legitimate company name in a subdomain on the left.

3. Use Japanese-language Domain

The third type uses the Japanese domain.

It is assumed that attackers aim to run phishing sites using Internationalized Domain Names in Japanese to induce people who are not used to reading foreign languages to access the phishing sites without feeling insecure or uncomfortable.

In Closing

The number of phishing sites reported to JPCERT/CC in 2021 and the features of the domains used were explained in this article. Information on the jp domains acquired for developing phishing sites is provided in the Appendix A. We hope that it helps operators to consider countermeasures.

If you have information on phishing sites, website defacement or other suspicious contents, please report it to info[at]jpcert.or.jp.

Shoko Nakai (Translated by Masa Toyama)