Introduction<\/strong><\/em><\/p>\n For at least the past year or so, I’ve been receiving Japanese-language phishing emails to my blog email addresses at @malware-traffic-analysis.net.\u00a0 I’m not Japanese, but I suppose my blog’s email addresses ended up on a list used by the group sending these emails. They’re all easily caught by my spam filters, so they’re not especially dangerous in my situation. However, they could be effective for the Japanese-speaking recipients with poor spam filtering.<\/p>\n Despite the different companies impersonated, they all follow a similar pattern for the phishing page URLs and email-sending addresses.<\/p>\n This diary reviews three examples of these phishing emails.<\/p>\n Screenshots<\/strong><\/em><\/p>\n The first screenshot shows an example of a phishing email impersonating the Japanese airline ANA (All Nippon Airways). Both the sending email address and the link for the phishing page use domains with a .cn<\/span>\u00a0top-level domain (TLD).<\/p>\n The second screenshot shows an example of a phishing email impersonating the shipping\/logistics company DHL. Like the previous example, both the sending email address and the link for the phishing page use domains with a .cn<\/span>\u00a0top-level domain (TLD).<\/p>\n Finally, the third screenshot shows an example of a phishing email impersonating the utilities company myTOKYOGAS. Like the previous two examples, both the sending email address and the link for the phishing page use domains with a .cn<\/span>\u00a0top-level domain (TLD).<\/p>\n As noted earlier, these emails have different themes, but they have similar patterns that indicate these were sent from the same group.<\/p>\n Indicators of the Activity<\/strong><\/em><\/p>\n Example 1:<\/p>\n Example 2:<\/p>\n Example 3:<\/p>\n Final Words<\/strong><\/em><\/p>\n The most telling indicator that these emails were sent from the same group is the\u00a0X-mailer: Foxmail 6, 13, 102, 15 [cn]<\/span> line in the email headers.<\/p>\n I’m not likely to be tricked into giving up information for accounts that I don’t have, like for myTOKYOGAS or for DHL.\u00a0 Other recipients could be tricked by these, though, assuming they make it past a recipient’s spam filter.<\/p>\n I’m curious how effective these phishing emails are, because the group behind this activity appears to be casting a wide net that reaches non-Japanese speakers.<\/p>\n If anyone else has received these types of phishing emails, feel free to leave a comment or submit an example via our contact page<\/a>.<\/p>\n Bradley Duncan (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n \t![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2026-02-21-ISC-diary-image-01a.jpg?ssl=1\")
<\/a>
\nShown above: The spam folder for my blog’s admin email account.<\/em><\/p>\n<\/a>
\nShown above: Example of a Japanese phishing email impersonating ANA.<\/em><\/p>\n<\/a>
\nShown above: Example of a Japanese phishing email impersonating DHL.<\/em><\/p>\n<\/a>
\nShown above: Example of a Japanese phishing email impersonating myTOKYOGAS.<\/em><\/p>\n\n
\n
\n
\nbrad [at] malware-traffic-analysis.net<\/p>\n
\n
<\/BR><\/p>\n