Main | November 2010 »

2 posts from September 2010

Sep 22, 2010

Phishing in Japan

For anyone doing incident response in the mid-2000s, you'd no doubt be familiar with the massive upswing in phishing attacks around then.  Working in the AusCERT incident response team at the time, we were swamped with scams chiefly targeting Australian banks and financial institutions.  Handling a large volume of phishing attacks quickly became a part of our daily routine, and they continue to be part of the landscape.

In early 2007, I moved to Japan to join JPCERT/CC. Much to my surprise, phishing activity was much lower here.  Reports of phishing sites hosted in Japan and targeting foreign organisations were a daily event, but attacks against Japanese organisations themselves were rare.  It seemed a little optimistic to think that Japan would be spared from such attacks - and naturally, this proved to be correct in time.

In May 2009, the number of attacks targeting Japanese institutions showed a sharp spike. The targets at that stage were chiefly non-bank financial institutions and auction sites, but attacks against banks, online gaming and social networking sites followed.

20080227mixi1

A phishing site for the popular Japanese social networking site mixi.

So, why did Japan enjoy this initial reprieve from phishing attacks compared to Western countries?  Why does phishing in Japan not approach the levels seen elsewhere?  Likely this will make a good research project one day, but here are some possible factors to think about.

The Japanese language

I can personally attest that Japanese deserves its notorious reputation as a difficult language to learn.  The number of Japanese speakers worldwide who can claim some level of fluency is an order of magnitude less than English, and the vast majority of those are native speakers.  It's also important to understand that in Japan, communications from a company to its customers are carried out using honorific, formal language, which isn't usually known to novice learners or machine translation programs. 

As you might also know, Japanese contains thousands of characters.  To make things even more complex, these characters can be encoded using multiple character sets - all of which are widely used in Japan. So, one theory could be that the Japanese language provides a sufficiently high complexity barrier for non-native Japanese attackers to look elsewhere for quick cash.

However, that hasn't stopped the odd attacker from spoofing some Japanese banks' English language websites:

20070712shinseibank021

Rare English-language phish targeting the Japanese Shinsei Bank.

Of course, that would leave domestic attackers as a possibility.  As we'll learn later, domestic groups have already developed their own local scam techniques.  Additionally, the perceived lower risk of cross-border phishing attacks is likely one of its attractive elements to many criminals.  If the attacker, victim and targeted organisation all reside in the same country, this benefit evaporates and the risk increases.

Japanese e-banking vs ATMs

Japan has a reputation for being a highly technological society, but you might be surprised to know that while electronic banking is mainstream here, it is not as popular as you might expect.

There are possibly a couple of reasons for this.  The first reason is that Japan is still largely a cash society.  People carry around wads of notes and rarely use credit cards.  Many people here have never even seen a cheque.  Physical currency is regarded as safe, and so electronic banking takes somewhat of a back seat.  It's worth noting, though, that electronic cash in the form of IC cards is making inroads here.

A second theory: widely-available ATMs already do what customers need, 24 hours a day.  Touchscreen-equipped ATMs in Japan are far more sophisticated than the standard hole in the wall that just spits out cash.  You are able to things like transfer between your accounts, make deposits, and send direct transfers to other accounts: an automated teller which comes very close to replicating its human equivalent.


Japanese ATM machine. Source: Wikipedia.

If I can briefly get on my soapbox, many banks here charge a USD $1 fee for using ATMs outside of business hours.  I've always felt that automatic machines of any kind don't need to be paid overtime.

ATMs and bank transfer fraud

Speaking of ATMs: the fact that you can easily transfer money between domestic accounts opens the possibility for other types of fraud.  A type that's become somewhat of a local speciality in Japan is known as "furikome sagi" (bank transfer fraud).

The attacker contacts the victim by telephone, and urges them to transfer money to a specified account.  The ruse might be a fabricated emergency from a family member, or a demand for penalty fees for an imaginary unpaid bill.  Posters warning bank customers of this fraud are a common sight in Japan, more so than awareness campaigns about phishing.

Given that domestic attackers already have a proven technique for extracting funds from their victims, this may also explain the lower uptake of phishing among domestic groups here.

Japanese e-banking two-factor authentication

Upon opening my Japanese bank account over three years ago, I was impressed to receive a simple means of two-factor authentication.  Using a 10x10 matrix printed on a PVC card, you read off a four digit response to a transaction-based challenge.  It was a very simple, cheap way of providing extra protection to customers at a time when many banks I was familiar with offered little in this way to their retail customers.

Of course, such authentication mechanisms don't offer perfect security.  As well as being susceptible to man-in-the-middle attacks and keylogging trojans, a phishing site was once observed by JPCERT/CC that asked the user to enter the entire 10x10 matrix of secret numbers into the site for the attacker's future reference.

At any rate, the wide usage of two-factor authentication in Japan might have added enough cost to attackers to encourage them to find softer targets.

Difficulty getting funds offshore

Often when phishers are looking to move their loot offshore, they'll recruit the services of a "mule".  The mule receives the stolen funds from the phisher, then moves the funds overseas using an international money transfer service.  Though an apparently easy way to earn money, mules are liable to be prosecuted in many countries.

Some mule recruiters advertising "part-time work in the financial services industry" often request that you live in a particular country, or use a particular bank.  This requires understanding of the targeted country's financial system.  For example, which are the major banks?  How do you transfer money offshore?  Is there a tracking system looking for suspicious transactions?  What's the maximum amount of money you can move around without it getting flagged for inspection?

I can say that even having lived here for several years, the banking system is still something of a mystery to me, and likely to a foreign attacker too.  Additionally, international money transfers here are regulated and monitored.

In summary

I should point out again that these are only theories, and have not been exhaustively researched by any means.  However, I know it's been interesting for me to observe the environmental, cultural and organisational differences between countries that may impact online crime.

Chris

Sep 09, 2010

Welcome to the JPCERT blog

Welcome to the JPCERT/CC blog.  JPCERT is the national CERT (Computer Emergency Response Team) for Japan.  We cover a fair amount of ground, including incident response, software vulnerability handling, malware analysis, running sensor networks, overseeing the Anti-Phishing Council of Japan (Japanese), running training courses, and lots besides.  You can see more about what we do at the JPCERT home page.

To introduce myself, my name is Chris Horsley.  I'm an Australian who has been working at JPCERT for the last few years now.  It's been particularly interesting for me to see some of the similarities and differences between the security landscape of Japan compared to Australia and other Western countries.  For those who don't speak Japanese or who aren't familiar with Japanese culture, there can be lots that goes on in Japan that doesn't receive much coverage in the foreign media.

I and other JPCERT staff are aiming to close some of the gap with this blog, bringing security trends in Japan to light for English-speaking audiences.  As well as talking about interesting security news from Japan, we'll also be talking about analysis and activities happening at JPCERT, along with some of the interesting cultural differences that exist here.

That's all for now - more to come!  Please sign up for the feed for updates as they happen, or follow our Twitter account if that's your social media poison of choice.

Chris