Text Message
Shortly after being in Japan for one year, I was greeted with a text stating I had an important notice from the government.
The URL led to a redirect page that used separate redirects for Android/Apple, then immediately self-destructed.
1. Card Input
The redirect takes you to a page asking you to buy a prepaid card + enter how much you want to pay (40000). There are a few hardcoded validation checks, though you can enter some dummy data (e.g: A1B2C3D4E5F6G8H0) that meets the criteria to trigger the POST method.
The method putcard is called, along with a payload containing the card info you just entered: Origin=mhlw&Page=1&Val1=A1B2C3D4E5F6G8H0-40000%7C
2. Ticket Verification
You are then redirected to this screen asking you to upload a copy of the ticket you received when purchasing the card. They request JPEG as the accepted type, though only give the option for pngs - I’m not sure why but this was what annoyed me the most about the whole scam.
After submission, the upload method is called, passing the file as the only field in the payload.
The response includes a copy of the URL that is returned: static/upload/549734571679508766.jpg
This upload URL is comprised of 8 random digits 54973457and the current unix timestamp 1679508766. Unfortunately, this naming convention makes it almost impossible to track down and inform victims by crawling URLs.
The putcard method is called one more time, this time passing a link to the uploaded image in the payload: Origin=Auorder&Page=2&Val3=https%3A%2F%2Fgxkrjmqfel.duckdns.org%2Fstatic%2Fupload%2F549734571679508766.jpg%7C
3. Confirmation
The final screen shows a fake confirmation screen, that generates a random reference number.
4. What should you not do?
Despite a 5MB upload limit via the form submission, requests made via the API directly can be up to 50MB.
Please do not write a script using the upload POST request linked below to upload images, this could result in them incurring additional server costs.
References
putcard POST Request
curl 'https://wxtoauejaw.duckdns.org/putcard' \
-H 'authority: wxtoauejaw.duckdns.org' \
-H 'accept: */*' \
-H 'accept-language: en-GB,en;q=0.9' \
-H 'content-type: application/x-www-form-urlencoded; charset=UTF-8' \
-H 'origin: https://wxtoauejaw.duckdns.org' \
-H 'referer: https://wxtoauejaw.duckdns.org/' \
-H 'sec-ch-ua: "Google Chrome";v="111", "Not(A:Brand";v="8", "Chromium";v="111"' \
-H 'sec-ch-ua-mobile: ?0' \
-H 'sec-ch-ua-platform: "Windows"' \
-H 'sec-fetch-dest: empty' \
-H 'sec-fetch-mode: cors' \
-H 'sec-fetch-site: same-origin' \
-H 'user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36' \
-H 'x-requested-with: XMLHttpRequest' \
--data-raw 'Origin=mhlw&Page=1&Val1=A1B2C3D4E5F6G8H0-40000%7C' \
--compressedupload POST Request
curl '[https://gxkrjmqfel.duckdns.org/upload](https://gxkrjmqfel.duckdns.org/upload)' \
-H 'authority: [gxkrjmqfel.duckdns.org](http://gxkrjmqfel.duckdns.org/)' \
-H 'accept: */*' \
-H 'accept-language: en-GB,en;q=0.9' \
-H 'content-type: multipart/form-data; boundary=----WebKitFormBoundarynmY1SuwTRXRW4d2X' \
-H 'origin: [https://wxtoauejaw.duckdns.org](https://wxtoauejaw.duckdns.org/)' \
-H 'referer: [https://wxtoauejaw.duckdns.org/](https://wxtoauejaw.duckdns.org/)' \
-H 'sec-ch-ua: "Google Chrome";v="111", "Not(A:Brand";v="8", "Chromium";v="111"' \
-H 'sec-ch-ua-mobile: ?0' \
-H 'sec-ch-ua-platform: "Windows"' \
-H 'sec-fetch-dest: empty' \
-H 'sec-fetch-mode: cors' \
-H 'sec-fetch-site: cross-site' \
-H 'user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36' \
--data-raw $'------WebKitFormBoundarynmY1SuwTRXRW4d2X\r\nContent-Disposition: form-data; name="file"; filename="blob"\r\nContent-Type: image/jpeg………… ETC ETC ETC