Scareware Campaign Targets Business Users in Japan and Germany

During routine threat hunting research, we identified an email-driven technical support-related scareware campaign in which victims receive a spoofed message containing a spam URL. The sender IPs originate from multiple unrelated global regions, with targeting highly focused on Japan and German users in business sectors.  

When a user clicks the link, they are redirected to a scareware page written entirely in Japanese language, mimicking Microsoft Defender, designed to frighten the victims into believing their system is “infected with a dangerous virus” to trick victims into calling a fake tech support number.

It Starts with a Deceptive Email

The campaign distributes self-spoofing emails where From Address, Envelope Sender, and Recipient address are same and subject is “No-Reply”. Since SMTP allows spoofing and does not require these fields to be different. Spammers use this to bypass email filters allowing attackers to craft messages that appear internally generated.

Forcepoint is currently blocking 100,000+ such emails, indicating this is a high‑volume, ongoing spam run actively targeting business sectors in Japan and Germany.

The email body claims:

Your account is disabled. If you see this page, your entire account has been disabled. Find out why.

It then instructs the user to:

• Log in to their account via an embedded hyperlink: “hxxps://bumalocif[.]z7[.]web[.]core[.]windows.net /” 

Fig. 1 - Self-spoofing email
 

Fake Microsoft Defender Alert:

Upon visiting the embedded URL, the victim is redirected to a randomized file named html webpage “hxxps://bumalocif[.]z7[.]web[.]core[.]windows[.]net/uopcv94wr9vp[.]html”.  

The scareware page displays a full‑screen fake Microsoft Defender alert in Japanese, the page claims that the device is infected with a Trojan. It repeatedly overlays pop‑ups and warning banners to trap the user on the page and plays an audio alert in Japanese and pressures victim to call fake technical support number.

Full screen alert says:

Please contact the support center immediately. A technical specialist will assist you. If you do not take action, your PC will be disabled for security reasons.

Windows Defender – Security Alert!

A dangerous Trojan malware has been detected.

(Detection ID: #WK02BDF6L)

As part of security protection, your device has been locked.

Technical Support: (0101) 55138‑72525

Fig. 2 - Fake Defender alert page
 

A Highly Evasive Crypto(graphy)-Wrapped Delivery Mechanism

A closer examination of the HTML payload revealed multiple noteworthy evasion mechanisms employed by the threat actors.

The victim is redirected to a clean-looking HTML page that shows no obvious malicious code at first glance, but it quietly uses evasion techniques and encryption mechanisms to hide its true behaviour. Payload is hidden inside a Base64-encoded blob. 

Fig.3 - Base64-encoded blob
 

Examining the Encrypted Payload Structure:

The Base64 blob is first decoded using Cyberchef, resulting in a binary output that still appears random as shown in figures 4 and 5 below. But here is where attackers store a fully encrypted payload rather than readable text.

The decoded binary stream is 36,912 bytes, which splits cleanly into three cryptographic components:

1- [ IV (16 bytes) | AES Ciphertext (36864 bytes) | HMAC-SHA256 (32 bytes)]
IV (First 16 bytes):  Initialization Vector used to start AES encryption. 

Fig. 4 - Base64 decoded binary (part 1)
 

2- AES Ciphertext (36864 bytes):  Main encrypted data, containing the scareware HTML, JavaScript, images, and audio. 

3- HMAC-SHA256 (Last 32 bytes): Cryptographic signature used to verify AES ciphertext and IV were not modified.
[HMAC-SHA256 = IV(16 bytes)+AES Cypher text (36864 bytes)] 

Fig. 5 - Base64 decoded binary (part 2)
 

Verifying Integrity using HMAC-SHA256

The code below concatenates the IV and Ciphertext and computes HMAC-SHA256, if it matches with last 32 bytes in blob, it then proceeds to AES-decryption. 

Fig. 6 - Integreity verification
 

If HMAC does not match last 32 bytes in blob → page erased → redirect to blank page. To prevent tampering, accidental partial loading and reverse engineering without correct key.

AES-Cyphertext's Decryption Key Self-Destruction:

The Decryption key (i.e Fragment key) is stored in URL hash (i.e after .html#), padded to 32 bytes and used as AES-256 Key.

When the page “hxxps://bumalocif[.]z7[.]web[.]core.windows[.]net/uopcv94wr9vp[.]html” gets loaded and the moment fake Defender alert pops up, the key is erased immediately from the URL bar.

Fig. 7 - Decryption key wiped  from visible address bar
 

The decryption key can be recovered by viewing page source of subdomain “hxxps://bumalocif[.]z7[.]web[.]core[.]windows[.]net/.”  

We found the decryption key to be (#ldeOMF0t0VoPJuv4). 

Fig. 8 - Decryption key loaded on address bar(#ldeOMF0t0VoPJuv4) 
 

Decrypting AES-Cyphertext:

The browser takes the 32‑byte key (built from the URL #) and the 16‑byte IV from the blob, then applies AES‑256 in CBC mode to decrypt the ciphertext block‑by‑block back into readable HTML. 

Fig. 9 - Decrypting AES-cyphertext 
 

Using Python, we then decrypted the 36,864‑byte ciphertext with AES‑256‑CBC, IV, and the decryption key‑derived with NUL‑padded 32‑byte key yielding the final decrypted readable HTML.

Post‑Decryption Scareware Logic

After decrypting the AES‑encrypted payload, the script reveals a fully weaponized browser‑locking routine that disables input, forces full screen, triggers alarm audio and traps the victim inside an un-closable scareware loop.

Aggressive Input Blocking

Once the decrypted scareware interface loads, the script immediately disables all forms of user interaction to simulate a system level lock screen.

Fig. 10 - Blocks every key on keyboard
 

Blocked Interactions observed:

• Right-click context menu
• All keyboard input
• Escape (ESC) key
• Browser function keys (F5, F11, F12, etc.)

Purpose:
To prevent the victim from exiting the scare page, inspecting developer tools, or refreshing the session.

Forced Fullscreen Takeover

The scam page tries to take over victim’s entire screen so victim cannot see:

• A Close (X) button
• The Taskbar
• Browser tabs 

Fig. 11 - Forced full screen
 

Purpose: 
Fullscreen mode makes the warning look like a real Windows system message instead of a normal website.

Audio-Driven Panic Induction

Embeds an audio player that auto-starts warning sound to build panic. 

Fig. 12 - Warning MP3 in Nihongo, a native Japanese language
 

A pre-recorded Japanese warning alert states:

Your computer has been locked. Your IP address was used to access a website containing personal information theft viruses without your knowledge or consent. To unlock your computer, please contact support immediately. Do not shut down or restart your computer, as this may lead to data loss or personal information theft. The computer lock is intended to stop illegal activity. Please call support right away.

Un-closable Browser Tab Behaviour

Implements multiple layers of anti-exit techniques to trap the user inside the page. 

Fig. 13- Un-closable browser tab
 

If the victim tries to close the tab:

• A new tab opens immediately
• The same page reloads
• Browser navigation events are intercepted

Purpose: 
To convince the victim it deals with a real infection and delays the victim’s ability to think rationally.

Browser Freezing via Web Worker Flooding

The script spawns multiple Web Workers running infinite loops and freezes browser.  

Fig. 14 - Browser freeze
 

Fake Technical Support Number

(0101) 55138-72525, “0101” is not a valid Japanese, German or US support prefix.
Still, in many cases, victims may simply dial the number. They might not notice the prefix is invalid, since the message preys on fear.

When victims call the number, they risk losing money or allowing scammers to gain remote access to their device.

Conclusion

This scareware campaign combines self-spoofing emails, Azure-hosted scam sites and fake Microsoft Defender warnings with audio-based social engineering to force users into contacting fraudulent support operators. While technically simple, the psychological manipulation proves highly effective. Attackers continue to rely on scareware because it works especially when combined with trusted branding, cloud hosting and self-address spoofing to maximize inbox delivery rates.

Protection Statement:  

Forcepoint customers are protected against this threat at the following stages of attack:

• Lure – Emails are blocked by Heuristic detection. URLs are blocked by web analytics.
• Redirect – Spam URLs are blocked with Realtime scanning signatures.

Mitigation Steps:

• Close the browser using Task Manager if the page cannot be exited.
• Do NOT call any support numbers shown.
• Do NOT install any software suggested by such pages.
• Clear browser cache & history.
• Run a antivirus scan.

IOCs:

• hxxps://bumalocif[.]z7[.]web[.]core[.]windows.net/
• hxxps://tuyayafana[.]z31[.]web[.]core[.]windows[.]net/
• hxxps://zosewayeri[.]z38[.]web[.]core[.]windows[.]net/
• hxxps://bipewaga[.]z32[.]web[.]core[.]windows[.]net/
• hxxps://fuvesepiwo[.]z1[.]web[.]core[.]windows[.]net/
• hxxps://tisocadoy[.]z1[.]web[.]core[.]windows[.]net/
• hxxps://cezuyibiva[.]z33[.]web[.]core[.]windows[.]net/
• hxxps://dolivava[.]z4[.]web[.]core[.]windows[.]net/
• hxxps://yubofanow[.]z27[.]web[.]core[.]windows[.]net/
• hxxps://bogavunow[.]z22[.]web[.]core[.]windows[.]net/
• hxxps://teereayi[.]z22[.]web[.]core[.]windows[.]net/
• hxxps://barafido[.]z14[.]web[.]core[.]windows[.]net/
• hxxps://diyozinela[.]z13[.]web[.]core[.]windows[.]net/
• hxxps://nusumitetu[.]z23[.]web[.]core[.]windows[.]net/
• hxxps://tedepacoc[.]z1[.]web[.]core[.]windows[.]net/
• hxxps://zizozemeca[.]z31[.]web[.]core[.]windows[.]net/
• hxxps://yocadisil[.]z1[.]web[.]core[.]windows[.]net/
• hxxps://depudetuz[.]z43[.]web[.]core[.]windows[.]net/
• hxxps://mubereceg[.]z16[.]web[.]core[.]windows[.]net/
• hxxps://nusedaduf[.]z33[.]web[.]core[.]windows[.]net/