A new wave of phishing attacks impersonating Japanese electronics retail giant Yodobashi Camera has emerged, leveraging urgency and brand trust to steal customer credentials.
Cybersecurity firm Symantec reported the campaign, which uses emails titled “Yodobashi.com: ‘Customer Information’ Change Request Notification” to trick recipients into visiting fake login pages.
The attacks highlight evolving tactics in social engineering, including multi-stage redirects and exploitation of security tools to mask malicious intent.
The phishing emails, sent to Yodobashi customers since mid-February 2025, claim that the recipient’s account information has been altered and urge immediate verification.
A translated subject line reads: “ヨドバシドットコム:「お客様情報」変更依頼受付のご連絡_ID:[random_12_digits]” (Yodobashi.com: “Customer Information” Change Request Notification ID: [random_12_digits]).
Embedded links redirect users through multiple domains, including compromised websites and cloud-hosted pages, before landing on a spoofed Yodobashi login portal designed to harvest usernames, passwords, and payment details.
Notably, the campaign employs Symantec Click-Time URL Protection, a legitimate security service, to disguise malicious links.
Attackers generated fake “scanned by Symantec” banners within emails to falsely reassure recipients of legitimacy.
This tactic mirrors a 2024 phishing operation that abused Symantec’s URL rewriting tools to bypass email filters.
Yodobashi Camera Users Under Attack
Yodobashi Camera has been a repeated phishing target. In April 2020, attackers impersonated the retailer’s membership portal, directing victims to domains like yodobashi.mwc.[恶意域名].cn to steal credit card data.
The 2025 campaign, however, reflects advancements in localization and technical evasion.
For instance, subdomains now include Japanese-language strings (e.g., soumui, referencing Japan’s Ministry of Internal Affairs) to enhance credibility, a tactic previously observed in jp-domain phishing schemes.
Globally, phishing attacks have surged in complexity. Zscaler’s 2025 predictions warn of AI-generated content tailoring scams to individual victims, while “browser-in-the-browser” attacks mimic legitimate login windows.
The Yodobashi campaign aligns with these trends, utilizing dynamically generated IDs and localized lures to lower suspicion.
Multi-Stage Redirects:
Links in the emails route through benign-looking intermediary pages, such as PDF hosting sites, before reaching the phishing portal. This technique bypasses initial email scans and complicates threat detection.
Domain Spoofing:
Attackers registered domains like yodobash.curtain-[恶意域名].com, combining legitimate brand terms with randomized strings to avoid blacklisting. Homograph attacks using Japanese characters further obscure discrepancies.
Credential Harvesting:
The fake login page replicates Yodobashi’s official interface but lacks HTTPS encryption and displays irregular domain structures. Submitted data is exfiltrated to attacker-controlled servers, enabling identity theft and financial fraud.
With 942 GB of data stolen from Japanese automotive supplier HARADA INDUSTRY in a separate Qilin ransomware attack, businesses must prioritize employee training and AI-driven threat detection.
Symantec advises organizations to adopt “zero trust” frameworks, isolating user devices from critical networks to limit lateral movement post-breach.
As phishing tactics grow more sophisticated, consumer vigilance and industry collaboration remain pivotal in curbing digital fraud.
Yodobashi customers are currently advised to treat unsolicited account alerts with caution; a moment of skepticism could prevent irreversible financial and reputational damage.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free