(C:)
phishing campaigns
Plala
ACTIVE CAMPAIGN
Plala, a major Japanese Internet service provider, is currently the target of an extensive phishing campaign. The phishing sites typically serve a fraudulent Plala login portal to the prospective victim, prompting them to enter a username and password:
Indicators of Phishing
The structure of nearly every Plala phishing page is almost identical, despite them spanning over a range of disparate domains.
The following are common attributes between all the pages:
- The title of the page is ぷらら Webメール
- Comments
- ========= HEADER =========
- ========= CAUTION =========
- ========= CONTENTS =========
- ========= FOOTER =========
- The phishing page itself is generally hosted within a */Sites/ subdirectory
- Victim credentials are exfiltrated via a POST request to
- {MALICIOUS_DOMAIN}/Sites/cgi-binsso/pf/agent_sso[.]php
Mapping Out the Campaign
The phishing campaign appears to rely on both compromising vulnerable websites and purchasing domains as a means of facilitating the campaign’s infrastructure.
To determine the extent of the campaign, we used PhishTank’s (PT) regularly-updated list of submitted phishing domains. Scanning purely for domains with the keyword “plala”, we can observe the following list of malicious/compromised domains:
- hxxps[://]43cr[.]com/plala-account
- hxxps[://]arntours[.]com/plalawebmail/Sites/index[.]html
- hxxps[://]jnintllc[.]com//plala[.]web[.]jp/Sites/index[.]html
- hxxps[://]hupp234[.]com/plalawebmail/Sites/index[.]html
- hxxps[://]ruchitadesigncompany[.]com/plala[.]web001/Sites/index[.]html
- hxxps[://]flotek[.]com[.]np/verify[.]plala[.]jp/Sites/index[.]html
- hxxps[://]demo[.]zerotheme[.]ir/peak/back/plalala/Sites/
- hxxps[://]lebrewcrew[.]com/verification[.]plala[.]jp/Sites/index[.]html
- hxxps[://]thebeanproject[.]com[.]au/plala10/Sites/index[.]html
- hxxps[://]thebeanproject[.]com[.]au//mail[.]plala[.]web/Sites/index[.]html
- hxxps[://]profinsagt[.]com/activeplala/Sites/index[.]html
- hxxps[://]beeftrans[.]com[.]au/plala[.]verify/Sites/index[.]html
- hxxps[://]plapla11[.]com/plalaa[.]or[.]jp/update1/
- hxxps[://]cerrajeriajutiapaymas[.]com/plala[.]emailverify/Sites/index[.]html
- hxxps[://]trenuleteturda[.]ro/plala,vrify/Sites/index[.]html
- hxxps[://]robsauto[.]com[.]au/plala/Sites/index[.]html
- hxxps[://]flotek[.]com[.]np//web[.]plala[.]jp/Sites/index[.]html
- hxxps[://]ihsanprime[.]com/gm/?uid=support@plala[.]or[.]jp
- hxxps[://]garciamerlos[.]com/accountplalaupdate/Sites/index[.]html
- hxxps[://]coaccorpotranst[.]fin[.]ec/plalalID/sso[.]login/login2[.]php
- hxxps[://]consultorianegociosmx[.]com/plala[.]verify/Sites/index[.]html
- hxxps[://]jmisyringe[.]com/storage/plalala/sso[.]login/login2[.]php
- hxxps[://]fotoyvideopixel[.]com//plalajp/Sites/index[.]html
- hxxps[://]bafkreihfcomnplalaeyii4lnu7heg45aqntjwl52jjzcpvvaj4l3z5yiua[.]ipfs[.]dweb[.]link/
- hxxps[://]divinopolisclube[.]com[.]br/plalaorg/Sites/index[.]html
- hxxp[://]icongt[.]com//Accoutupdate@plala[.]or[.]jp/Sites/index[.]html
- hxxp[://]roostersgt[.]com//Accountupdate@plala[.]or[.]jp/Sites/index[.]html
- hxxp[://]attisguatemala[.]com//web[.]plala/Sites/index[.]html
- hxxps[://]nutrodry[.]in//plala60/Sites//index[.]html
- hxxps[://]trenuleteturda[.]ro/pplala[.]or/Sites/index[.]html
with the earliest recorded instance of a campaign domain appearing in the PT database on June 6th of 2025.
If we expand our definition of a campaign site to include the frequently used /Sites/index.html filepath, we see an even greater list of malicious/compromised domains:
- hxxps[://]43cr[.]com/plala-account
- hxxps[://]srikrishnahardwares[.]com/MentorAccount/Sites/index[.]html
- hxxps[://]turnkeyhosting[.]com//CHECKINGACCONT2035/Sites/index[.]html
- hxxps[://]alwalaemfood[.]com/pl/Sites/index[.]html
- hxxps[://]xetadesigns[.]com//ACCOUNTUPDATE2025/Sites/index[.]html
- hxxps[://]palivor360[.]com//CHECKACCOUNT2025/Sites/index[.]html
- hxxps[://]arntours[.]com/plalawebmail/Sites/index[.]html
- hxxps[://]icm[.]pe//pla/Sites/index[.]html
- hxxps[://]ncnet[.]ro//picolo/Sites/index[.]html
- hxxps[://]quickridecabs[.]com/accountupdate2025/Sites/index[.]html
- hxxps[://]aibtechnology[.]com/Softaccount/Sites/index[.]html
- hxxps[://]jnintllc[.]com//plala[.]web[.]jp/Sites/index[.]html
- hxxps[://]kubmohanigltd[.]ng/Softaccount/Sites/index[.]html
- hxxps[://]aibtechnology[.]com/Dementor/Sites/index[.]html
- hxxps[://]anandamargamx[.]com//CHECKUPDATE2025/Sites/index[.]html
- hxxps[://]easyfilingcabinet[.]com//CHECKINGACCONT2035/Sites/index[.]html
- hxxps[://]hupp234[.]com/plalawebmail/Sites/index[.]html
- hxxps[://]ruchitadesigncompany[.]com/plala[.]web001/Sites/index[.]html
- hxxps[://]flotek[.]com[.]np/verify[.]plala[.]jp/Sites/index[.]html
- hxxps[://]demo[.]zerotheme[.]ir/peak/back/plalala/Sites/
- hxxps[://]breadsocials[.]com//CHECKUPDATE2025/Sites/index[.]html
- hxxps[://]dperera[.]es/yoursafety/Sites/index[.]html
- hxxps[://]lebrewcrew[.]com/verification[.]plala[.]jp/Sites/index[.]html
- hxxps[://]schaengold[.]com/CHECKUPDATE2025/Sites/index[.]html
- hxxps[://]thebeanproject[.]com[.]au/plala10/Sites/index[.]html
- hxxps[://]www[.]tintlorigh[.]com/pza[.]verify/Sites/index[.]html
- hxxps[://]profinsagt[.]com/protectaccount/Sites/index[.]html
- hxxps[://]thebeanproject[.]com[.]au//mail[.]plala[.]web/Sites/index[.]html
- hxxp[://]profinsagt[.]com/accountupgrade/Sites/index[.]html
- hxxps[://]profinsagt[.]com/activeplala/Sites/index[.]html
- hxxps[://]salvident[.]com//Plalawebmailupdate/Sites/index[.]html
- hxxps[://]tashkatech[.]com/Softaccount/Sites/index[.]html
- hxxps[://]thepediatimes[.]com/YourSafety/Sites/index[.]html
- hxxps[://]beeftrans[.]com[.]au/plala[.]verify/Sites/index[.]html
- hxxps[://]plapla11[.]com/plalaa[.]or[.]jp/update1/
- hxxps[://]khazaei[.]click/yoursafety/Sites/index[.]html
- hxxps[://]rt[.]nehp0[.]shop//pza/Sites/index[.]html
- hxxps[://]cerrajeriajutiapaymas[.]com/plala[.]emailverify/Sites/index[.]html
- hxxps[://]mandlothbrok[.]com/PLAverify/Sites/index[.]html
- hxxps[://]nw[.]empoparais[.]click/Softaccount/Sites/index[.]html
- hxxps[://]urbanizacionesca[.]com/Softaccount/Sites/index[.]html
- hxxps[://]trenuleteturda[.]ro/plala,vrify/Sites/index[.]html
- hxxps[://]robsauto[.]com[.]au/plala/Sites/index[.]html
- hxxps[://]flotek[.]com[.]np//web[.]plala[.]jp/Sites/index[.]html
- hxxps[://]rr2[.]mx/pla[.]or/Sites/index[.]html
- hxxps[://]magroupsa[.]net/supportupdate/Sites/index[.]html
- hxxps[://]ihsanprime[.]com/gm/?uid=support@plala[.]or[.]jp
- hxxps[://]garciamerlos[.]com/accountplalaupdate/Sites/index[.]html
- hxxps[://]coaccorpotranst[.]fin[.]ec/plalalID/sso[.]login/login2[.]php
- hxxps[://]consultorianegociosmx[.]com/plala[.]verify/Sites/index[.]html
- hxxps[://]ausumengineering[.]com/JP/Sites/index[.]html
- hxxp[://]tasinsa[.]com[.]gt/account[.]upgrade/Sites/index[.]html
- hxxps[://]jmisyringe[.]com/storage/plalala/sso[.]login/login2[.]php
- hxxps[://]andyroy[.]com/PlA/Sites/index[.]html
- hxxps[://]servitecsa[.]co/Accountupdate/Sites/index[.]html
- hxxps[://]fotoyvideopixel[.]com//plalajp/Sites/index[.]html
- hxxps[://]backaniang[.]com//UpdateAccount/Sites/index[.]html
- hxxps[://]funeraleslopezgt[.]com/updateyouraccount/Sites/index[.]html
- hxxps[://]bafkreihfcomnplalaeyii4lnu7heg45aqntjwl52jjzcpvvaj4l3z5yiua[.]ipfs[.]dweb[.]link/
- hxxps[://]vittorosi[.]com/accountupgrade/Sites/index[.]html
- hxxps[://]nextgen-football[.]it/plaa/Sites/index[.]html
- hxxps[://]divinopolisclube[.]com[.]br/plalaorg/Sites/index[.]html
- hxxps[://]sherbrookprivate[.]com[.]au/PLZ/Sites/index[.]html
- hxxps[://]prendasglob[.]com/account[.]upgrade/Sites/index[.]html
- hxxps[://]nextgen-football[.]it/pla/Sites/index[.]html
- hxxps[://]nobelsecuritygroup[.]com/Accoutupdate/Sites/index[.]html
- hxxps[://]ambitionmu[.]com/ZipuP/Sites/index[.]html
- hxxps[://]cidaderefugio[.]com[.]br/plaa/Sites/index[.]html
- hxxps[://]cibernet18[.]com/Softaccount/Sites/index[.]html
- hxxp[://]icongt[.]com//Accoutupdate@plala[.]or[.]jp/Sites/index[.]html
- hxxp[://]roostersgt[.]com//Accountupdate@plala[.]or[.]jp/Sites/index[.]html
- hxxp[://]roostersgt[.]com/Softaccount/Sites/index[.]html
- hxxp[://]tekdatagt[.]com/mail[.]verify/Sites/index[.]html
- hxxp[://]attisguatemala[.]com//web[.]plala/Sites/index[.]html
- hxxps[://]smartwalletinvestments[.]com/plaa/Sites/index[.]html
- hxxps[://]pyrsa[.]net/account[.]update/Sites/index[.]html
- hxxps[://]comercialvolpato[.]com[.]br/pza/Sites/index[.]html
- hxxps[://]bossyotis[.]com/activeplala/Sites/index[.]html
- https://hongkonginternationalhomewarescoltd.com/yoursafety/Sites/index.html
- hxxps[://]i-care[.]one/Softaccount/Sites/index[.]html
Here, the earliest known Plala campaign domain appears in the PT database on May 21st of 2025.
Still yet, domains such as
- hxxps[://]vittacalzature[.]com/gmo/undexc/system[.]php?praga=ff8f3033b8c3010d54c1ece62222c79d&pid=ff8f3033b8c3010d54c1ece62222c79d&frameworkff8f3033b8c3010d54c1ece62222c79d=ff8f3033b8c3010d54c1ece62222c79d&zonealldom=support@plala[.]or[.]jp&ubuntu=ff8f3033b8c3010d54c1ece62222c79d&about=ff8f3033b8c3010d54c1ece62222c79d-contact
- hxxps[://]netfibratelecomunicacoes[.]com[.]br/admin-index/webmail_login[.]php
- hxxps[://]ploplae220[.]com/cgi-bin/update1/
target Plala employees without adhering to either of the previously mentioned patterns.
On 8/31/25 and 9/1/25 alone, nearly a dozen new Plala domains were submitted to the PT database:
- hxxps[://]www[.]atlascargocorp[.]com//plala[.]or/Sites//index[.]html
- hxxps[://]garudaindonesia-ksa[.]com/update[.]plala[.]or[.]jp/Sites/index[.]html
- hxxps[://]cashappagent[.]com/plala[.]or/Sites/index[.]html
- hxxps[://]rv[.]0017[.]cf/MentorAccount/Sites/index[.]html
- hxxps[://]deepstratum[.]com/plalaupgrade/Sites/index[.]html
- hxxps[://]bafawatlabs[.]com/Inks/pla_bins/agent[.]php
- hxxps[://]marquetconsulting[.]com/plalaa[.]or/Sites/index[.]html/
- hxxps[://]seguro-residencial[.]com/PLAverify/Sites/index[.]html
- hxxps[://]zv[.]inexequibles[.]click/AccountMentor/Sites/index[.]html
- hxxps[://]tinklas[.]com[.]br/yoursafety/Sites/index[.]html
- hxxps[://]jmdstrack[.]com/accountsecurity/Sites/index[.]html
Plala campaign sites continue to roll out on a regular basis; employees likely face exhaustion from having to constantly check where they are logging in, and the likelihood of a succesful attack grows with every new compromised website or registered domain. This page will continue to be updated with new links. If you encounter a Plala campaign phishing page that is not present here, please contact us at cybersecurenotif@proton.me.
NzUgNjEgNjcgNjIgNjQgNmUgNjQgNmYgNjEgNzMgNmEgNzMgNjIgNjQgMjAgNmMgNzMgNmIgNjQgNmUgMjAgNjEgNmYgNzMgNjkgNjQgNmUgNzMgNmMgNjE=
