CoGUI Phish Kit Targets Japan with Millions of Messages
Summary:
Proofpoint has identified a notable surge in high-volume Japanese language phishing campaigns targeting organizations in Japan. These campaigns utilize a sophisticated phishing kit, dubbed CoGUI, to impersonate popular Japanese consumer and payment brands like Amazon, PayPay, and Rakuten. While a smaller number of campaigns have targeted Australia, New Zealand, Canada, and the United States, Japan has become a primary target. The objective of these campaigns is to steal user credentials and payment information, potentially leading to financial fraud, with some evidence suggesting a link to illicit purchases of Chinese stocks. CoGUI employs advanced evasion techniques, including geofencing, header fencing, and browser fingerprinting, to avoid detection. Proofpoint has been tracking CoGUI since December 2024, observing an average of 50 campaigns per month, with peak volumes reaching over 172 million messages in January 2025. Notably, while the majority of campaigns are retailer-themed, finance-related impersonations have increased recently, aligning with reports from Japanese authorities regarding increased phishing targeting financial institutions.
Security Officer Comments:
The observed increase in CoGUI phishing campaigns targeting Japan exemplifies the increasing trend in Chinese language cybercrime across the threat landscape since 2023, including phishing kits like Darcula and malware campaigns based off Gh0stRAT variants. The high volume of these campaigns, coupled with the sophisticated evasion techniques employed by the CoGUI kit, underscores the need for robust phishing detection measures. The focus on well-known consumer and financial brands highlights the attackers' attempt to abuse user trust and their aim to capitalize on it for credential and financial data theft. The potential link to the usage of illicit funds for the purchase of Chinese stocks adds a layer of complexity to these operations. While similarities exist between CoGUI and the Darcula phishing kit used in Road Toll Smishing, Proofpoint's analysis confirms they are distinct. The absence of observed multi-factor authentication credential collection capabilities in CoGUI is noteworthy given its prevalence in other phishing kits, although its potential existence cannot be entirely ruled out as there may be samples with it that have not been observed. The alignment of recent finance-themed CoGUI campaigns with reports from Japanese financial authorities highlights this concerning trend. Proofpoint's development of internal detections and Emerging Threats rules is a crucial step in mitigating this threat, providing valuable protection for their customers.
Suggested Corrections:
IOCs are available here.
Proofpoint recommendations for combating phishing:
Phish kits use lures that mimic trusted brands and services to increase the likelihood that users will click the URL payloads provided. These lures often create a sense urgency to complete a task, presenting the URL as a convenient path for the victim to do so. To combat these dangerous but often successful lures, do not immediately click links.
Instead, slow down, visit the official website of the service, and log into your account to further investigate the lures’ claims. Organizations are advised to educate users about phishing impersonating popular consumer and financial brands and to report to IT teams when observed. Organizations are advised to implement multifactor authentication across all applications and services, however, to fully defend against MFA phishing, FIDO or other physical security tokens are recommended.
This slower path reduces the consequences of user credentials and payment information from being exfiltrated.
Link(s):
https://www.proofpoint.com/us/blog/threat-insight/cogui-phish-kit-targets-japan-millions-messages
Proofpoint has identified a notable surge in high-volume Japanese language phishing campaigns targeting organizations in Japan. These campaigns utilize a sophisticated phishing kit, dubbed CoGUI, to impersonate popular Japanese consumer and payment brands like Amazon, PayPay, and Rakuten. While a smaller number of campaigns have targeted Australia, New Zealand, Canada, and the United States, Japan has become a primary target. The objective of these campaigns is to steal user credentials and payment information, potentially leading to financial fraud, with some evidence suggesting a link to illicit purchases of Chinese stocks. CoGUI employs advanced evasion techniques, including geofencing, header fencing, and browser fingerprinting, to avoid detection. Proofpoint has been tracking CoGUI since December 2024, observing an average of 50 campaigns per month, with peak volumes reaching over 172 million messages in January 2025. Notably, while the majority of campaigns are retailer-themed, finance-related impersonations have increased recently, aligning with reports from Japanese authorities regarding increased phishing targeting financial institutions.
Security Officer Comments:
The observed increase in CoGUI phishing campaigns targeting Japan exemplifies the increasing trend in Chinese language cybercrime across the threat landscape since 2023, including phishing kits like Darcula and malware campaigns based off Gh0stRAT variants. The high volume of these campaigns, coupled with the sophisticated evasion techniques employed by the CoGUI kit, underscores the need for robust phishing detection measures. The focus on well-known consumer and financial brands highlights the attackers' attempt to abuse user trust and their aim to capitalize on it for credential and financial data theft. The potential link to the usage of illicit funds for the purchase of Chinese stocks adds a layer of complexity to these operations. While similarities exist between CoGUI and the Darcula phishing kit used in Road Toll Smishing, Proofpoint's analysis confirms they are distinct. The absence of observed multi-factor authentication credential collection capabilities in CoGUI is noteworthy given its prevalence in other phishing kits, although its potential existence cannot be entirely ruled out as there may be samples with it that have not been observed. The alignment of recent finance-themed CoGUI campaigns with reports from Japanese financial authorities highlights this concerning trend. Proofpoint's development of internal detections and Emerging Threats rules is a crucial step in mitigating this threat, providing valuable protection for their customers.
Suggested Corrections:
IOCs are available here.
Proofpoint recommendations for combating phishing:
Phish kits use lures that mimic trusted brands and services to increase the likelihood that users will click the URL payloads provided. These lures often create a sense urgency to complete a task, presenting the URL as a convenient path for the victim to do so. To combat these dangerous but often successful lures, do not immediately click links.
Instead, slow down, visit the official website of the service, and log into your account to further investigate the lures’ claims. Organizations are advised to educate users about phishing impersonating popular consumer and financial brands and to report to IT teams when observed. Organizations are advised to implement multifactor authentication across all applications and services, however, to fully defend against MFA phishing, FIDO or other physical security tokens are recommended.
This slower path reduces the consequences of user credentials and payment information from being exfiltrated.
Link(s):
https://www.proofpoint.com/us/blog/threat-insight/cogui-phish-kit-targets-japan-millions-messages