Japanese Insurance Tax Scam

Japanese Insurance Tax Scam

Category
Scam Digging
Published
2023

Text Message

Shortly after being in Japan for one year, I was greeted with a text stating I had an important notice from the government.

The URL led to a redirect page that used separate redirects for Android/Apple, then immediately self-destructed.

Text from a scammer with URL to sketchy-ass website
Text from a scammer with URL to sketchy-ass website

1. Card Input

The redirect takes you to a page asking you to buy a prepaid card + enter how much you want to pay (40000). There are a few hardcoded validation checks, though you can enter some dummy data (e.g: A1B2C3D4E5F6G8H0) that meets the criteria to trigger the POST method.

image
image

The method putcard is called, along with a payload containing the card info you just entered: Origin=mhlw&Page=1&Val1=A1B2C3D4E5F6G8H0-40000%7C

2. Ticket Verification

You are then redirected to this screen asking you to upload a copy of the ticket you received when purchasing the card. They request JPEG as the accepted type, though only give the option for pngs - I’m not sure why but this was what annoyed me the most about the whole scam.

image
image

After submission, the upload method is called, passing the file as the only field in the payload.

The response includes a copy of the URL that is returned: static/upload/549734571679508766.jpg

This upload URL is comprised of 8 random digits 54973457and the current unix timestamp 1679508766. Unfortunately, this naming convention makes it almost impossible to track down and inform victims by crawling URLs.

The putcard method is called one more time, this time passing a link to the uploaded image in the payload: Origin=Auorder&Page=2&Val3=https%3A%2F%2Fgxkrjmqfel.duckdns.org%2Fstatic%2Fupload%2F549734571679508766.jpg%7C

3. Confirmation

The final screen shows a fake confirmation screen, that generates a random reference number.

image
image

4. What should you not do?

Despite a 5MB upload limit via the form submission, requests made via the API directly can be up to 50MB.

Please do not write a script using the upload POST request linked below to upload images, this could result in them incurring additional server costs.

References

putcard POST Request

upload POST Request