Japanese Cybercriminals New Addition To Underground Arena

Younger and smaller than its counterparts, the cybercrime underground marketplace in Japan imports cybercrime tools, uses secret jargon, and has a distinct focus on fake passports, firearms, and child pornography.

Japan is no stranger to cyber attacks and malware-related incidents—from recent malvertising attacks in early October to EMDIVI malware targeting Japan companies, and even to banking malware centered in the region in 2014. But even with Japan’s high-tech industries, the underground economy is still in its infancy stage as it develops into its own entity—a marketplace for all types of illegal activities buried deep into the rabbit hole we’ve uncovered.

Growing from Infancy

Other underground markets, such as Russia’s have since been established as a place where cybercriminals can shop for crimeware, products, and services. Japan’s, on the other hand, is still slowly gaining ground and often relies on other markets to “import” these tools.

Bulletin board systems (BBSs) and underground forums play a big role in helping the Japanese cybercriminal economy thrive. Through these, users can exchange messages via chat, email, and public message boards anonymously. On top of the anonymity that the forums offer, individuals use a secret jargon to mask their illegal transactions and opt for rather unconventional payment methods-a far cry from accepting ‘normal’ bitcoins and WebMoney as payment for their goods. These goods can be found within hidden sites that have information on child pornography, drugs, and other illegal offerings. A site called FAKE PASSPORT.ONION, for instance, sells passports for a minimum of US$700, and a website called Magical Onion serves as a trading platform for child pornography.

Figure 1. Fake passports, along with other forms of identification, sold in a counterfeit-passport shopping site called “FAKE PASSPORT.ONION”

Figure 2. Just like any other place in the Dark Web, some Japanese underground sites also serve as weapon depots

Figure 3. Child porn traded on Magical Onion

Japanese Market Offerings

Comparing the items sold in the underground, one interesting detail we found was that Japanese accounts sometimes were sold a higher price compared to other international credentials. For example, the average price of a (stolen) Japanese credit card was US$60 while a US card costs US$7 and a UK card, US$8. The US$60 price tag includes those cards that have been verified by Visa™ via the Verified by Visa (VBV) service. Incomplete and unverified credit card credentials were sold for US$10–59. Basic credentials, including owners’ names, credit card numbers, and expiration dates, cost less than US$10.

While credit card prices may vary, we found that Japanese PayPal®, and Secure Shell (SSH) account credentials cost the same as those from other countries. For example, PayPal accounts cost US$2 while SSH accounts cost US$1.40.

Products are not the only wares being peddled in the underground; the Japanese underground market also offers hacking advice. We found a site (likely owned by a Japanese) that offers a denial-of-service (DoS) tool and asks for PlayStation Store cards worth ¥1,000–3,000 (US$8.35–25.05) as payment.

Aside from forums and “tutorial” sites, another means by which hacking information is shared is via virtual PO boxes offered by several underground sites. Virtual PO boxes allow senders to generate unique addresses that they can send to receivers prior to using the messaging service. That way, they can anonymously exchange information with each other.

The Future of the Underground

Japan’s presence in the global cybercriminal underground, although still fairly small, is not negligible. Although our observations reveal that Japanese cybercriminals lack the technical know-how needed for malware creation, the interest is there, as evidenced by exchanges on how to monetize malware tools purchased from other regional underground markets. Once enterprising individuals discover the feasibility of making money using hacking or malware, we may see more locally produced hacking tools and tips on Japanese underground sites.

An in-depth look at our investigations into this growing cybercrime community can be found in our paper, The Japanese Underground. This investigation is part of our Cybercriminal Underground Economy Series (CUES), which looks at various online communities of cybercriminals. A link to this paper may be found below.