This script exfiltrates credentials to /api/collect before redirecting victims to Monex’s legitimate error page, creating the illusion of a temporary service interruption rather than a security breach. The campaign employs socially engineered emails with the subject line “【マネックス証券】登録情報の確認および更新のお願い” (“[Monex Securities] Request to confirm and update registered information”), urging recipients to “verify account details” through embedded links. These domains use randomized alphanumeric strings in their root paths followed by the “/monex/” directory (e.g., hxxps://ijnu[.]cn/monex), creating URLs that superficially resemble authentic Monex subdomains. Broadcom analysts observed that clicking these links redirects victims to fake login pages replicating Monex Securities’ authentication interface. Symantec’s WebPulse-enabled products now block access to all identified infrastructure components, while their email security suite quarantines messages containing the malicious links. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This initial script generates a unique session identifier encoded in Base64, allowing attackers to track individual victims even if they abandon the login process prematurely. The campaign’s operational infrastructure relies on disposable domains registered through Chinese TLD providers, with DNS records pointing to cloud-hosted virtual private servers (VPS). Tushar is a Cyber security content editor with a passion for creating captivating and informative content. Since early April 2025, attackers have deployed a series of fraudulent domains leveraging the .cn top-level domain to impersonate Monex’s legitimate services. A sophisticated phishing campaign has emerged targeting users of Monex Securities, one of Japan’s largest online brokerage platforms formed through the merger of Monex, Inc. Attackers exfiltrate submitted credentials in real time through POST requests to attacker-controlled endpoints, enabling immediate account takeover attempts. Financial institutions are advised to implement multi-factor authentication (MFA) systems that bypass SMS-based codes, which this campaign’s infrastructure cannot currently intercept.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 03 Apr 2025 16:50:17 +0000