Ddos 
The urlscan Threat Research Team has uncovered a sophisticated and persistent phishing campaign—codenamed Oriental Gudgeon—that has been targeting dozens of high-profile Japanese companies since October 2024. This operation, which is suspected to have Chinese origins, has zeroed in on the financial services sector, impersonating brands such as AEON Card, JCB, Mizuho Bank, Rakuten, Amazon Japan, and Apple, among many others.
According to the report: “Oriental Gudgeon has recently expanded its targeting to include more than 40 Japanese companies.”
The phishing kit mimics legitimate websites of Japanese commercial entities in a Vue.js-based single-page application (SPA) structure. It is designed to harvest a wide range of sensitive user data, including:
- Login credentials
- Account and verification details
- PIN and passcodes
- Credit card information
The campaign begins with phishing emails, often using alarming subject lines like: “アカウントへの不審アクセスに関する重要なお知らせ” (Important notice regarding suspicious access to your account).
Once the victim clicks the link, they’re directed to a cloaked phishing site. The phishing workflow includes:
- POST /visitors/info/createOrGetUserInfo – creates or retrieves a victim’s identity
- POST /visitors/info/saveLoginInfo – stores login data
- POST /visitors/info/saveCreditCardInfo – stores credit card data
These endpoints are part of an elaborate backend system that assigns a unique UUID to each visitor, persistently tracked via the browser’s localStorage.
What makes Oriental Gudgeon stand out is its multi-layered cloaking mechanism, specifically crafted to avoid detection:
- Geo-fencing: “Redirects the user to a benign website if the user is not located within Japan.”
- User-info blocking: “Cloaks itself (shows 404 page) by closing the /visitors/info/createOrGetUserInfo API endpoint.”
Fortunately, urlscan Pro offers countermeasures such as geographically located scanners (JP) and custom JavaScript injection, allowing researchers to bypass the cloaking barriers and inspect the phishing pages in live mode.
The research team suggests a strong link to Chinese-speaking actors. Evidence includes:
- Use of Simplified Chinese in the JavaScript error logs (e.g., “应用初始化失败”)
- Payload data containing fields like “客户电话” (customer phone number)
- Initial phishing emails traced to Chinese IP ranges, later shifted to residential proxies—a trend also observed by Spamhaus
“Our current working theory is that the Oriental Gudgeon threat actor is a native Chinese speaker,” the report concludes.
Donate