{
	"id": "a7668875-e0e0-4abb-b046-b4c89157deb7",
	"created_at": "2026-04-06T00:18:20.605215Z",
	"updated_at": "2026-04-10T13:12:05.157786Z",
	"deleted_at": null,
	"sha1_hash": "c774af602cf781b62e2770c469fe3bae70b1b762",
	"title": "High-Volume Amazon Japan Credential Phishing Campaigns | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1136795,
	"plain_text": "High-Volume Amazon Japan Credential Phishing Campaigns |\r\nProofpoint US\r\nBy October 16, 2020 Cassandra A. and the Proofpoint Threat Research Team\r\nPublished: 2020-10-16 · Archived: 2026-04-05 22:06:45 UTC\r\nIntroduction  \r\nSince August 2020, Proofpoint researchers have tracked extremely high-volume Amazon Japan credential and\r\ninformation phishing campaigns, with suspected activity dating back to June 2020. The messages pose as Amazon\r\nJapan, suggesting that the recipient needs to review their account for \"confirmation of ownership\" or \"updated\r\npayment information\". Upon clicking a link in the message, the recipient is taken to one of several variations of\r\nAmazon-themed credential phishing landing pages that collect credentials, personally identifiable information\r\n(PII), and credit card numbers. Messages have been sent both to Japan-based organizations and those with a\r\npresence in Japan. The pages are geofenced to ensure that only Japan-based recipients are taken to the credential\r\nphishing page.  \r\nWhile popular brands like Amazon are often abused in credential phishing campaigns, the volume of messages\r\nsets these campaigns apart from other Amazon-branded activity. The campaigns run continuously, sending\r\nhundreds of thousands of messages each day. As of mid-October, sometimes more than a million messages are\r\nseen in a single day, rivaling Emotet message volume.  \r\nLures and landing pages \r\nThe messages are well-crafted Japanese language lures with subjects suggesting that the recipient's information\r\nneeds an update or that their account has been locked: \r\nAmazon.co.jp アカウント所有権の証明（名前、その他個人情報）の確認 (\"Confirmation of proof of\r\nownership of Amazon.co.jp account (name and other personal information)\") (Figure 1) \r\nお支払い方法の情報を更新 (\"Updated payment method information\") (Figure 2) \r\nアカウントがロックされたので、ご注意下さい (\"Please note that your account has been\r\nlocked\") (Figure 3) \r\nhttps://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet\r\nPage 1 of 12\n\nFigure 1: Lure with subject, “Confirmation of proof of ownership of Amazon.co.jp account (name and other\r\nhttps://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet\r\nPage 2 of 12\n\npersonal information)” \r\n \r\nFigure 2: Lure with subject, “Updated payment method information” \r\n \r\nhttps://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet\r\nPage 3 of 12\n\nFigure 3: Lure with subject, “Please note your account has been locked” \r\n \r\nImages in the messages, such as the Amazon logos, are hotlinked from free image hosting services, and the same\r\nimage URLs have been observed across multiple campaigns. \r\nThe messages purport to be from Amazon, though they come from email addresses that initially were\r\nnot disguised particularly well, such as these samples: \r\nrmlirozna[@]pw[.]com \r\nfwgajk[@]zfpx[.]cn \r\nhttps://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet\r\nPage 4 of 12\n\ninfo[@]bnwuabd[.]xyz \r\ndc[@]usodeavp[.]com \r\nBy early October 2020, we began to see a shift in effort to make the from address appear somewhat legitimate: \r\namaozn[@]ama2on[.]buzz \r\naccout-update[@]amazon[.]co.jp  \r\naccount-update[@]amazon[.]com  \r\nadmin[@]amazon-mail[.]golf \r\nIn examining the message URLs, we see that they contain parameters for OpenID (Figure 4), the authentication\r\nprotocol used by Amazon Japan. These URLs don’t appear to take the user to an OpenID\r\nimplementation, but the parameters in the URL string exist to provide legitimacy to the experience. \r\nWe identified what appear to be placeholder values in some URLs, suggesting perhaps some messages were\r\nprematurely sent, or that the corresponding values weren’t available (Figure 4). \r\nFigure 4: URL with BRECEIVER_ADDRESS and BRAND_TEXT variables \r\nWe also identified use of what appears to be a placeholder email address in some URLs, “a@b.c” (Figure 5). In\r\nother URLs observed, the recipient email address populates this parameter. \r\nFigure 5: URL with a@b.c and an OpenID path in place of variables \r\n \r\nWhen clicked, the geofenced links in the message take the user either to a spoofed Amazon Japan login\r\npage (Figure 6), or if the user appears to be outside of Japan, to the actual Amazon Japan login page. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet\r\nPage 5 of 12\n\nFigure 6: Spoofed Amazon Japan login page \r\nUpon “logging in” with their Amazon username and password, the user is taken to a form that collects various\r\npieces of PII, such as address, birthday, and phone number (Figure 7). \r\nhttps://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet\r\nPage 6 of 12\n\nFigure 7: Information phishing landing page, requesting the user’s country, name, birthday, zip/postal code,\r\nprefecture (state), street address, business name (optional), and phone number \r\nThe form also collects credit card numbers, which are loosely validated through a script hosted on the same site,\r\nand zip codes, which are validated via an API call to a third-party service (Figures 8, 9). Interestingly, the zip code\r\nwe provided does not appear to be a legitimate Japanese zip code, though no errors were returned upon submitting\r\nthe information. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet\r\nPage 7 of 12\n\nFigure 8: Error indicating the credit card number originally provided (a random numeric string of the wrong\r\nlength) is invalid \r\n \r\nFigure 9: Intercepted traffic illustrating the call to ”zipcloud.ibsnet[.]co.jp” for zip code validation, as well as\r\ncalls to ”/ap/actions/validate?cxdi=” for credit card number validation \r\nAfter submitting valid information, users are thanked for updating their information, told they may now access\r\ntheir account, and redirected to the real Amazon Japan site at amazon.co[.]jp. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet\r\nPage 8 of 12\n\nFigure 10: Post-submission page informing users that they may now access their account \r\nMessage volume \r\nFigure 11: Message volume, August 2020 through October to date \r\nProofpoint has tracked these messages since mid-August, but we have identified activity as early as June 2020 that\r\nappears to be tied to the same actor. While the messages are in Japanese and the landing pages geofenced to\r\nJapanese IPs, there is no clear pattern among recipients or industries, beyond being based in Japan or having\r\nbusiness presence in Japan. Given the loosely linear trajectory of daily message volume observed through late\r\nAugust and September, volume could continue to increase over the coming months. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet\r\nPage 9 of 12\n\nMonth  Average Message Volume Per Day \r\nAugust (from 8/18-8/30)  122,000 \r\nSeptember  424,000 \r\nOctober (to date)  750,000 \r\nInfrastructure  \r\nTypically, the credential phishing landing page is an IP address, followed by “/ap/signin”: \r\nhxxp://103.192.179[.]54/ap/signin \r\nLess often, a domain is used in lieu of an IP address: \r\n00pozrjbpm[.]xyz/ap/signin \r\nHundreds of IP addresses have been used across multiple campaigns, as the actor tends to adopt new IP addresses\r\nfor each campaign, rather than reuse IP addresses. IP addresses belong to a variety of autonomous systems, with\r\nno clear pattern among geographies or providers.\r\nFigure 12: Top AS names for IP addresses used in lures from August 2020 through October to date \r\nThe domains used are *.xyz or *.cn TLDs, and some have been observed across multiple campaigns. The\r\n.xyz domains are registered through GoDaddy, while the *.cn domains has a sponsoring registrar of 阿里云计算\r\n有限公司（万网） (Alibaba Cloud Computing). \r\nAugust 30-September 5 Campaign Landing Page Domains \r\nhttps://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet\r\nPage 10 of 12\n\nDomain Creation Date Registrant Details\r\n00pozrjbpm[.]xyz  2020-04-24 \r\nRegistrant State/Province: Xiang Gang \r\nRegistrant Country: CN \r\n1mmmms2jy8[.]xyz  2020-06-14 \r\nRegistrant State/Province: Xiang Gang \r\nRegistrant Country: CN \r\n4lz1qen0ls[.]xyz  2020-06-14\r\nRegistrant State/Province: Xiang Gang \r\nRegistrant Country: CN \r\n5b0rnizmhn[.]xyz  2020-04-24 \r\nRegistrant State/Province: Xiang Gang \r\nRegistrant Country: CN \r\nWhile much of the registrant data for these domains was redacted at the time we checked, we did notice\r\ncommonalities across ‘Creation Date’ and several of the registrant detail fields.  \r\nSeptember 6-12 Campaign Landing Page Domains \r\nDomain Creation Date Registrant Details\r\n00pozrjbpm[.]xyz  2020-04-24 \r\nRegistrant State/Province: Xiang Gang \r\nRegistrant Country: CN \r\njiyingkou[.]cn  2019-09-20 \r\nRegistrant: 王帅国 \r\nRegistrant Contact Email: rxbnn3[@]163[.]com \r\nenjinchang[.]cn  2019-09-19 \r\nRegistrant: 王帅国 \r\nRegistrant Contact Email: rxbnn3[@]163[.]com \r\njuhaicheng[.]cn  2019-09-20 \r\nRegistrant: 王帅国 \r\nRegistrant Contact Email: rxbnn3[@]163[.]com\r\ngetongliao[.]cn  2019-09-20 \r\nRegistrant: 王帅国 \r\nRegistrant Contact Email: rxbnn3[@]163[.]com \r\nhttps://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet\r\nPage 11 of 12\n\nApart from 00pozrjbpm[.]xyz, reused from the August 30-September 5 campaign, the domains for the September\r\n6-12 campaign share common traits. Like the previous set of domains, the creation dates and registrant\r\ninformation suggest that they may be related in some way. Moreover, “rxbnn3[@]163[.]com” is a prolific domain\r\nregistrant, as this address appears as a registrant contact across 251 domains as of this publication. In addition\r\nto the domains associated with rxbnn3[@]163[.]com shown above, the email is also linked to a number of domain\r\ngeneration algorithm-like domains:  \r\nswwkppe[.]cn \r\nlmkafwgi[.]cn \r\npdscmkq[.]cn \r\nawsmgrc[.]cn \r\nConclusion \r\nThe Amazon brand is commonly spoofed by threat actors seeking credentials, but the volume and persistence of\r\nthese campaigns set them apart from other Amazon-themed activity. The consistent reuse of message assets,\r\nlanding pages, and steadily increasing message volume suggest that this activity could be driven by a\r\nbotnet. Moreover, there is no apparent weekend lull in message volume, as we sometimes observe with less\r\nautomated operations. If this is indeed powered by a botnet, it’s unlikely that message volume will decrease\r\nsoon. Threat actors often make incremental changes to their operations, and elements like different branding or\r\ncollection of slightly different information could be easy pivot points for this actor over the coming months. \r\nIndicators of Compromise (IOCs) \r\nIOC IOC Type Description\r\nhxxp://182.16.26[.]194/ap/signin  URL Amazon Japan credential phish landing page \r\nhxxp://23.133.5[.]144/ap/signin  URL Amazon Japan credential phish landing page \r\nhxxp://43.249.30[.]212/ap/signin  URL Amazon Japan credential phish landing page \r\n00pozrjbpm[.]xyz/ap/signin  URL Amazon Japan credential phish landing page \r\njiyingkou[.]cn/ap/signin  URL Amazon Japan credential phish landing page \r\nenjinchang[.]cn/ap/signin  URL Amazon Japan credential phish landing page \r\nUpdate 30 June 2021: Proofpoint is still tracking this activity however it is no longer using geofencing\r\ntechniques.\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet\r\nhttps://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet"
	],
	"report_names": [
		"geofenced-amazon-japan-credential-phishing-volumes-rival-emotet"
	],
	"threat_actors": [
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434700,
	"ts_updated_at": 1775826725,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c774af602cf781b62e2770c469fe3bae70b1b762.pdf",
		"text": "https://archive.orkl.eu/c774af602cf781b62e2770c469fe3bae70b1b762.txt",
		"img": "https://archive.orkl.eu/c774af602cf781b62e2770c469fe3bae70b1b762.jpg"
	}
}