Trends of Reported Phishing Sites and Compromised Domains in 2021

JPCERT/CC received 44,242 incident reports in 2021 and of that 23,104 were related to phishing sites. Based on the reported information, this article details the number of reports, the proportions of spoofed brands by industry and the trends in domain used for phishing sites.

Phishing sites in this article refer to unauthorised websites that are designed to steal credentials and other information by spoofing legitimate brands. Some of the reported phishing sites include those being spread via SMSs in addition to emails.

Trend in the Number of Reported Phishing Sites and Its Ratio by Industry

Figure 1 is a monthly trend in the number of reported phishing sites in 2021. From January to July, there were less than 2,000 cases per month, but from around August, the number of cases continued to exceed 2,000. This is partly due to an increase in reports of phishing sites pretending to be Amazon and ETC (Electronic Toll System) usage inquiry service websites.

Figure 1: Monthly trend in the number of reported phishing sites

Figure 2 shows a monthly trend and breakdown of reported phishing sites by industry based on all reported URLs.

Figure 2: Breakdown of reported phishing sites by industry

In 2021, phishing sites spoofing financial institution brands accounted for 31% of all phishing sites, followed by spoofing communication carriers at 27%. A distinctive feature was a surge in phishing sites of government services with fewer than 30 reports from January to July each month and rising to 63 in August and 209 in September. Many of the reports were the phishing sites that disguised as the MIC (the Japanese Ministry of Internal Affairs and Communications)'s special cash handout website or the MHLW (the Japanese Ministry of Health, Labour and Welfare)'s COVID-19 vaccine navigation website.

Breakdown of TLDs (Top-Level Domains) Used for Phishing Sites

Figure 3 shows a monthly breakdown of reported phishing sites by gTLD and ccTLD.

While the majority of phishing sites use a gTLD, 22% of all sites use a ccTLD. ccTLD stands for “Country Code Top Level Domain”, which is allocated to and managed by each country. On the other hand, gTLD stands for “General Top Level Domain” and is allocated to service areas rather than countries. gTLD is possibly less restrictive in its use than ccTLD and is therefore more likely to be compromised as a phishing site.

Figure 3: Breakdown of reported phishing sites by gTLD and ccTLD

Figures 4 and 5 illustrate the ratio of TLDs used for phishing sites, divided into gTLDs and ccTLDs.

Looking at the gTLD figure, the org domain accounted for the largest proportion (42%). This is because the services of dynamic DNS providers using org domains were leveraged to generate a number of phishing sites.

Figure 4: Breakdown of gTLDs used for phishing sites

Amongst many ccTLDs, cn domain made up 69%, representing the largest share. To prevent further damage, JPCERT/CC is working with CNCERT/CC to request for actions from the administrator of a website hosting phishing contents and coordinate with the relevant domain registrar. The number of phishing sites with jp domains was the third highest.

Figure 5: Breakdown of ccTLDs used for phishing sites

Trend in jp Domains Used for Phishing Sites

It is common for attackers to compromise a website with a legitimate domain in order to place phishing contents. However, some of them acquire jp domains for the purpose of setting up phishing sites. These jp domains will be discussed later.

Figure 6 shows a monthly trend in phishing sites with jp domains.

Figure 6: Monthly trend in phishing sites of jp domains

Features of jp Domains Acquired for Setting Up Phishing Sites

There were multiple patterns in the jp domains used for phishing sites. JPCERT/CC confirmed the following features particularly in those domains registered within a month before phishing sites were identified.

  1. Include brand names: e.g., aplusl.jp, saisons.jp
  2. Exclude brand names: e.g., hsjhhfjk.jp, reihakls.jp
  3. Include numbers in the second level domain: e.g., card020.jp, card030.jp
  4. Replace one letter of the proper noun: e.g., registerb.jp, registerc.jp

Relation amongst jp Domains, Phishing Sites and Spoofed Brands

The following is three features of phishing sites using the jp domains acquired for developing phishing sites.

1. Use Brand Names in Subdomain

The first type includes a brand name in a subdomain. Table 1 lists the domains with different brands for each subdomain.

Table 1: Domains with different brands for each subdomain

The word "card" in the domain name suggests that the attacker was attempting to impersonate a service or brand that provides card service containing personal information such as credit card or national identification number card. In this case, “smbc” (referring to a bank) and “rakuten” (referring to an e-commerce company) were added to each phishing site’s subdomain in order to impersonate different brands.

The intention of the attacker to register a domain may be to develop more phishing sites by adding the names of legitimate brands or services to the subdomain.

On the other hand, as indicated in Table 2, the jp domains which seem to have been originally registered to impersonate Rakuten were actually used to run phishing sites spoofing MIC’s special cash handout websites. This can be confirmed by the fact that the subdomain “soumui” (the string in Japanese that appears to be associated with MIC, the Ministry of Internal Affairs and Communications) was added to these domains.

Table 2: Domains spoofing Rakuten and MIC

2. Fix the String of Subdomain

The second type fixes the string of subdomains, replaces a single character in the domain name and runs multiple phishing sites as shown in Table 3.

The browser of computer or smartphone shows the website address from the left, and the address on the right may not be displayed depending on the display size. Attackers may aim to run multiple phishing sites that mislead users by registering a legitimate company name in a subdomain on the left.

Table 2: Domains spoofing Rakuten and MIC

3. Use Japanese-language Domain

The third type uses the Japanese domain.

It is assumed that attackers aim to run phishing sites using Internationalized Domain Names in Japanese to induce people who are not used to reading foreign languages to access the phishing sites without feeling insecure or uncomfortable.

Table 4: Japanese domain/Punycode

In Closing

The number of phishing sites reported to JPCERT/CC in 2021 and the features of the domains used were explained in this article. Information on the jp domains acquired for developing phishing sites is provided in the Appendix A. We hope that it helps operators to consider countermeasures.

If you have information on phishing sites, website defacement or other suspicious contents, please report it to info[at]jpcert.or.jp.

Shoko Nakai (Translated by Masa Toyama)

Appendix A: jp domains acquired for developing phishing sites and examples of spoofed brands

Confirmed in Domain WHOIS Registration Date Phishing site(FQDN) Brand
Jan redirectjcom.jp 2021/01/04 redirectjcom.jp Amazon
vpassids.jp 2021/01/11 vpassids.jp
smbc.vpassids.jp
Mitsui Sumitomo Card
Feb docomo-ma.jp 2021/02/05 www.docomo-ma.jp docomo
Mar aplusl.jp 2021/03/07 aplusl.jp APLUS
fc2dda.jp 2021/03/03 www.fc2dda.jp Mitsubishi UFJ NICOS
Apr amazon-images.jp 2021/04/29 amazon-images.jp Amazon
card-saison.jp 2021/04/24 card-saison.jp SAISON CARD
cardsaisons.jp 2021/04/15 cardsaisons.jp SAISON CARD
saison-update.jp 2021/04/15 saison-update.jp SAISON CARD
saisons.jp 2021/04/24 saisons.jp SAISON CARD
May amzano.jp 2021/05/13 amzano.jp Amazon
member-jcom.jp 2021/05/20 member-jcom.jp J:COM
saison-sms.jp 2021/05/19 api.saison-sms.jp SAISON CARD
saison-updated.jp 2021/05/20 saison-updated.jp
net.saison-updated.jp
SAISON CARD
saison-updates.jp 2021/05/07 saison-updates.jp SAISON CARD
saisoncard-update.jp 2021/05/07 saisoncard-update.jp SAISON CARD
sms-card.jp 2021/05/19 sms-card.jp SAISON CARD
Jun appappmazom.jp 2021/06/16 appappmazom.jp Amazon
Jul card-00.jp 2021/07/16 smbc.card-00.jp Mitsui Sumitomo Card
card0000.jp 2021/07/16 smbc.card0000.jp Mitsui Sumitomo Card
card0003.jp 2021/07/17 smbc.card0003.jp Mitsui Sumitomo Card
card020.jp 2021/07/16 rakuten.card020.jp Rakuten
card030.jp 2021/07/16 smbc.card030.jp Mitsui Sumitomo Card
card06.jp 2021/07/16 rakuten.card06.jp Rakuten
card0800.jp 2021/07/18 smbc.card0800.jp Mitsui Sumitomo Card
card200.jp 2021/07/16 smbc.card200.jp Mitsui Sumitomo Card
hsjhhfjk.jp 2021/07/20 www.nttdocmon.ne.hsjhhfjk.jp docomo
paypay-co.jp 2021/07/04 paypay-co.jp
www.paypay-co.jp
PayPay
registerb.jp 2021/07/21 nttdocomo.ne.registerb.jp docomo
registerc.jp 2021/07/21 nttdocomo.ne.registerc.jp docomo
registern.jp 2021/07/21 nttdocomo.ne.registern.jp docomo
registert.jp 2021/07/21 nttdocomo.ne.registert.jp docomo
registerv.jp 2021/07/21 nttdocomo.ne.registerv.jp docomo
registerx.jp 2021/07/21 nttdocomo.ne.registerx.jp docomo
Aug am-prime.jp 2021/08/07 am-prime.jp Amazon
americnnexpress.jp 2021/08/03 www.americnnexpress.jp American Express
card-bccb.jp 2021/08/08 smbc.card-bccb.j Mitsui Sumitomo Card
card-ii.jp 2021/08/06 smbc.card-ii.jp Mitsui Sumitomo Card
card-zxc.jp 2021/08/10 smbc.card-zxc.jp Mitsui Sumitomo Card
prime-card1.jp 2021/08/26 amazon.prime-card1.jp Amazon
rakeoini.jp 2021/08/13 soumui.rakeoini.jp MIC
rakeunore.jp 2021/08/13 soumui.rakeunore.jp MIC
rakuteine.jp 2021/08/13 co-jp.rakuteine.jp Rakuten
rakutenoi.jp 2021/08/13 co-jp.rakutenoi.jp Rakuten
rekuonrie.jp 2021/08/24 soumui.rekuonrie.jp MIC
xn----fbu197jpxfmoevwj41ibsc.jp
情報の更新-安全.jp
2021/08/24 xn----fbu197jpxfmoevwj41ibsc.jp Amazon
Sep amazon-logn.jp 2021/09/04 amazon-logn.jp Amazon
appama.jp 2021/09/01 info.appama.jp Amazon
card-tty.jp 2021/09/14 smbc.card-tty.jp Mitsui Sumitomo Card
info-customerservcqqq24.jp 2021/09/09 info-customerservcqqq24.jp Amazon
infosecvalidatedagains.jp 2021/09/16 infosecvalidatedagains.jp Amazon
irnuaiekr.jp 2021/09/04 rekuten.irnuaiekr.jp Rakuten
japannet-bank-co.jp 2021/09/10 www.japannet-bank-co.jp PayPay Bank
mkdinue.jp 2021/09/24 ufbk.jp.mkdinue.jp Mitsubishi UFJ NICOS
reihakls.jp 2021/09/11 rakutone.reihakls.jp Rakuten
Yodobashi Camera
shopping-survey.jp 2021/09/01 amazon.shopping-survey.jp Amazon
smbc-co.jp 2021/09/23 www.smbc-co.jp Mitsui Sumitomo Card
web-aupay.jp 2021/09/18 web-aupay.jp
www.web-aupay.jp
au
Oct caird-co.jp 2021/10/26 smbc.caird-co.jp Mitsui Sumitomo Card
cards-co.jp 2021/10/23 smbc.cards-co.jp Mitsui Sumitomo Card
carrd-co.jp 2021/10/23 smbc.carrd-co.jp Mitsui Sumitomo Card
carsd-co.jp 2021/10/23 smbc.carsd-co.jp Mitsui Sumitomo Card
cart-co.jp 2021/10/26 smbc.cart-co.jp Mitsui Sumitomo Card
d3f2c3fbd7a2b2e1d3
f2c3fbd7a2b2e2.jp
2021/10/15 d3f2c3fbd7a2b2e1d3
f2c3fbd7a2b2e2.jp
Amazon
hbvkhcvh.jp 2021/10/18 rekutonin.hbvkhcvh.jp Rakuten
jhvjhcfjhbjkj.jp 2021/10/18 rakutonei.co-jp.jhvjhcfjhbjkj.jp Rakuten
smbc-card-ma.jp 2021/10/12 www.smbc-card-ma.jp Mitsui Sumitomo Card
smbc-card-mr.jp 2021/10/12 www.smbc-card-mr.jp Mitsui Sumitomo Card
smbc-card-ms.jp 2021/10/12 www.smbc-card-ms.jp Mitsui Sumitomo Card
smbc-cardom.jp 2021/10/10 www.smbc-cardom.jp Mitsui Sumitomo Card
Nov cade-co.jp 2021/11/08 smbc.cade-co.jp Mitsui Sumitomo Card
cead-co.jp 2021/11/09 smbc.cead-co.jp Mitsui Sumitomo Card
cerd-co.jp 2021/11/09 smbc.cerd-co.jp Mitsui Sumitomo Card
cnke.jp 2021/11/07 paypey.cnke.jp
paypoy.cnke.jp
poypoy.cnke.jp
PayPay
crad-co.jp 2021/11/09 smbc.crad-co.jp Mitsui Sumitomo Card
csad-co.jp 2021/11/09 smbc.csad-co.jp Mitsui Sumitomo Card
cxrd-co.jp 2021/11/09 smbc.cxrd-co.jp Mitsui Sumitomo Card
dsyne55.jp 2021/11/05 paypoy.dsyne55.jp
poypoy.dsyne55.jp
PayPay
etc-merisair.jp 2021/11/12 www2.etc-merisair.jp ETC usage inquiry service
nerel.jp 2021/11/02 paypay.nerel.jp PayPay
neros.jp 2021/11/02 paypay.neros.jp PayPay
neui.jp 2021/11/02 paypay.neui.jp PayPay
paypaya.jp 2021/11/14 login.paypaya.jp PayPay
paypayqg.jp 2021/11/15 login.paypayqg.jp PayPay
whjk22.jp 2021/11/07 paypey.whjk22.jp
paypoy.whjk22.jp
poypoy.whjk22.jp
PayPay
Dec 3d14xojlryiivx8uns
h0prn4h8ehmqro0.jp
2021/12/17 3d14xojlryiivx8uns
h0prn4h8ehmqro0.jp
Amazon
aqtdyosxlbwupvflyz
crf811eqopji.jp
2021/12/09 aqtdyosxlbwupvflyz
crf811eqopji.jp
Amazon
iy3bhwobsaxvhuiheklqqaak
8iv8lnmyc9xvcesc4ysga.jp
2021/12/14 iy3bhwobsaxvhuiheklqqaak
8iv8lnmyc9xvcesc4ysga.jp
Amazon
descente-store.jp 2021/12/08 prime.store.descente-store.jp Amazon
yahoo-ai.jp 2021/12/13 yahoo-ai.jp Yahoo! JAPAN
Back
Top
Next