Dissecting One Click Frauds
Nicolas Christin, CMU INI/CyLabSally S. Yanagihara, CMU INI/CyLabKeisuke Kamataki, CMU CS/LTI
What is “One Click Fraud”? Pervasive online fraud
found in Japan since 2004
Victim clicks on a (innocuous) HTML link email, website, or SMS
variants … only to be told they
entered a binding contract…
… and are required to pay a nominal fee or “legal actions” would be taken
One Click Contracts/Frauds, Wikipedia http://ja.wikipedia.org/wiki/ ワンクリック詐欺
Why do victims pay?
One Click Frauds, http://support.zaq.ne.jp/security/oneclick5.html
Show IP address and a notice that “contact information has been recorded”
Show victim sample of the billing statement that will be sent to the home (postcard with pornographic picture)
Fear of loss of reputation!
Problem importance
Quite large monetary impact Roughly 2.6 billion yen (~30 million US dollars)
annually since 2004*
Disclosure of victim’s private information and payment are leaked within the underground community and exposes victims to more frauds**
Actual market size, damages, and number of victims are unknown due to embarrassment factor Only 2,859 cases (657 arrests) are solved each year
*Japan Police Force Annual Report 2004-2009 **http://journal.mycom.co.jp/articles/2009/04/24/adultsite1/index.html
A persisting plague
Filed incidents to police show rise since emergence in 2004
IPA Helpdesk shows record high for “One Click Fraud”
Although shown effective in 2007, police efforts and mandated laws are not applicable measures for fraud prevention today
Monetary Damages
0
500
1,000
1,500
2,000
2,500
3,000
2004 2005 2006 2007 2008 2009 (1-10)Year
Mill
ion
Ye
n
Arrest Cases
0
1,000
2,000
3,000
4,000
5,000
2004 2005 2006 2007 2008 2009 (1-10)Year
Ca
se
sArrested Persons
0
200
400
600
800
1,000
2004 2005 2006 2007 2008 2009 (1-10)Year
Pe
rso
n
c
Calls to IPA Relative to One Click Frauds<Aug-2005 to Oct-2009>
80108138174
131151204223
130
233287316
205
369
264
157
372
457
305
194
355
503572
628694
2825
793
650697
654
268185
285243
144
651
545
168155 155
236270
43
320
165211
210
330316
0
100
200
300
400
500
600
700
800
900
Se
pt
Oct
No
vD
ec
Jan
Fe
bM
ar
Ap
rilM
ay
Jun
eJu
lyA
ug
Se
pt
Oct
No
vD
ec
Jan
Fe
bM
ar
Ap
rilM
ay
Jun
eJu
lyA
ug
Se
pt
Oct
No
vD
ec
Jan
Fe
bM
ar
Ap
rilM
ay
Jun
eJu
lyA
ug
Se
pt
Oct
No
vD
ec
Jan
Fe
bM
ar
Ap
rilM
ay
Jun
eJu
lyA
ug
Se
pt
Oct
2006 2007 2008 2009[Month/Year]
[Ca
lls to
IPA
]
Japan Police Force Annual Report 2004-2009
Research questions
What makes One Click Fraud easy to perpetrate? What vulnerabilities do we have in our infrastructure? How are criminals exploiting those vulnerabilities?
Who is committing these crimes? “Random crooks”, or… … is there evidence of any organized criminal
activity?▪ Do they operate in groups?▪ Can they be linked to other forms of online crime?
How should we address this problem?▪ Technological vs. economical vs. legal remedies
Collecting instances of One Click Frauds
Source of data: “vigilante” websites posting information about frauds
2 Channel (2ちゃんねる 掲示板 ) http://society6.2ch.net/test/read.cgi/police/1215642976 Japan’s largest BBS provides information on multiple topics We focus on the ‘One Click Fraud’ posts Potential difficulty: posts made using natural language, lots of noise, potentially
hard to parse automatically
Koguma-neko Teikoku ( こぐまねこ帝国 ) http://kogumaneko.tk/ Privately owned website providing consumer information and Internet-related
helpdesks Structured reports, parsing easy
Wan-Cli Zukan ( ワンクリ図鑑 ) http://zukan.269g.net/ Privately owned website posting specifically One Click Fraud websites Structured reports, parsing easy
Data collection methodology
Strip reports of following attributes and store into mysql database URL Bank account ID Bank account name* Bank branch name Bank name Phone number DNS information
▪ Registrar info▪ Double DNS-reverse DNS
lookup Required amount
Unforgeable Attributes*
[2ch Example]*Bank Account owner’s name can be falsified but account is genuine (not false)
Two-dimensional analysis
DNS information (registrars, name servers)
Phone numbers used
Bank accounts used
Fraud amount
1. Look for patterns across frauds in:
Two-dimensional analysis
DNS information (registrars, name servers)
Phone numbers used
Bank accounts used
Fraud amount
2. Draw correlations to link several frauds to same perpetrators
Website 1
Website 2
Common bank
account!
Syndicate's Registration Fee (Top 10)
54 46
10998
283
6647
92
119142
0
50
100
150
200
250
300
5,00
0
35,0
00
40,0
00
45,0
00
50,0
00
55,0
00
60,0
00
80,0
00
90,0
00
100,
000
Amount of Money (Yen)
We
bs
ite
Co
un
t
Fraud Amount
Registration fee are primarily at 50,000 yen (USD $500)
Matches average Japanese businessmen monthly allowance* (45,600 yen)!
*In Japan, usually the wife does the household accounting and provides the husband with an allowance to cover food, etc
Fraud amount (top 10 most common)
Syndicate's Telephone Share
au38.6%
Softbank23.3%
TokyoPref.
16.5%
Free Dial10.5%
Docomo10.3%
OsakaPref.0.4%
HyogoPref.0.4%
GunmaPref.0.2%
Japan Cellphone Market Share 2009
NTTDocomo
48.5%
au27.4%
Softbank18.5%
Willcom4.0%
eMobile1.5%
Phone numbers used
“au (by KDDI)” may have lax restrictions for new contracts Tokyo ’03-***’ numbers may be numbers using transfer services
Fraudsters’ phone numbers
Bank accounts used
No “smoking gun” here Internet banks make it easier to create bank
accounts since there is no physical interaction More prone to abuse
Syndicate's Bank Count (Top 10)
eBank4%
MitsubishiTokyo
UFJ Bank12% Shinsei
Bank13%
MitsuiSumitomo
Bank14%
SevenBank17%
MizuhoBank16%
JapanNetBank4%
RisonaBank6%
TokyoTominBank8%
Tokyo StarBank6%
Japan Bank Market 2009 (Top 8)
MizuhoFinancial
Group20%
AozoraBank1%
SumitomoTrust &Banking
Co.3%
Chuou MitsuiTrust &
Banking Co.2%
Japan PostBank Co.
26% SumitomoMitsui
FinancialGroup16%
RisonaHoldings
Inc.5%
Mitsui(Tokyo)
UFJFinancial
Group25%
ShinseiBank2%
Bank accounts used in frauds
Syndicate's Top 10 Registrar
TUCOWS INC.4%
KEY-SYSTEMSGMBH
3%
ABDOMAINATIONS
1%
NEW DREAMNETWORK, LLC
2%
ALLEARTHDOMAINS1% DOTSTER
1%
MONIKER1%
ABOVE, INC.6%
GODADDY.COM,INC.5%
GMO INTERNET,INC.20%
ENOM, INC.56%
Global Top 10 Registrar
SCHLUND+PARTNER6%
MELBOURNE IT6%
MONIKER3%
WILD WESTDOMAINS
4%
REGISTER.COM3%
PUBLIC DOMAINREGISTRY
3%
KEY-SYSTEMS2%
TUCOWS9%
NETWORKSOLUTIONS
8%ENOM INC.
11%
GO DADDY40%
ONLINENIC1% FABULOUS.COM
1%DOTSTER1%
XINNET.COM2%
DNS registrars
Evidence of a bias Is this due to lack of enforcement? Questionable subcontracting? (Resellers)
Fraudulent websites’ registrars
Syndicate's DNS Resellers
37
1612
8
3 2 2 2 1 1 1 1 1 1 1 1 1 1 1 1 1 10
5
10
15
20
25
30
35
40
DNS Resellers/Name Servers
Cou
nt
DNS resellers/Web hosting services
Fraudsters choice of DNS Reseller can be defined by grouping Name Servers Very often also offer
web hosting services Maido3.com is reseller
of TuCows Inc Value-Domain.com is
reseller of Enom Inc DreamHost.com is
reseller/branch of New Dream Network LLC
Intermediate summary
Fraud amount Grouped at 50,000yen Not affected by time or by the Japanese
economy conditions Cellphones, Telephones
“au (KDDI)” brand cellphones may have lax contracting restrictions
Tokyo “03-**” number probably due to phone number transfer services
Bank accounts No “smoking gun” Internet banks are easier to create fraud
accounts possibly due to no physical interaction
DNS Registrars and web hosting services Biased to specific DNS vendors DNS vendor resellers can be found by
registered Name Server
DNS Registrar
Phone Numbers
Bank Accounts
Registration Fee
1. Look for patterns across frauds in:
Organized criminal groups
Identified (at most) 105 organized criminal groups On average, each group
maintains 4.65 websites 6.65 bank accounts 2.01 phone numbers
A few “syndicates” seem responsible for most of the frauds
Maintained Websites per Syndicate
56
33
232020
1716
11988877777665555544444444444333333333333322222222222222222222222221111111111111111111111111111111
0
10
20
30
40
50
60G
1
G78
G55
G14
G88
G21 G3
G29
G61
G10
G41
G72 G8
G27
G53
G75
G91
G97
G10
4
G13
G38
G48
G62
G67
G77
G84
Groups
We
bs
ite
sNumber of maintained sites by group
“Trojan.HachiLem” Malware
A family of scams actually contain some malware (in the form of downloadable “video”)
Trojan in .exe format Collects email addresses in
Outlook Express and Becky! Sends information back to
“hachimitsu-lemon.com” server▪ Has been taken down for a
while Information used to
blackmail to victims notifying them they “owe” registration fees
Recently seen on Oct 26th, 2009
“Relatively” harmless
Hypothesis: same criminal organization? Correlated by identical “Technical Contact
Phone Number” in WHOIS information(+81-6-6241-6585)
Do they also spam?
Checked multiple DNS blacklists for a subset of our results 380 domain tested 247 still resolved 134 unique IP addresses
Other DB tested: spamcop, njabl, manitu, … (0 hits) Some spamming but not pervasive
Mostly coming from parked domains Spam is in Japanese and is not well reported to these DB ops?
dnsbl.sorbs.net Bulk senders 4/134
spam.dnsbl.sorbs.net Spam to admins 21/134
zen.spamhaus.org Combined DB 10/134
L2.apews.org Spam or spam-friendly
42/134
2 or more 12/134
3 or more 2/134
Economic incentives of fraudstersPart 1: Equipment costs
Facilities EeePC (900X): 28,000yen Yahoo!BB (ADSL 8M): 3,379 yen/month
Rental Servers Maido3.com (Starter Pack)
▪ Domain Registration fee : FREE▪ Server Setup fee: 3,675 yen▪ Advanced payment (3months): 7,350 * 3 = 22,050 yen
DNS Registration OpenDNS
▪ Registration fee: FREE Subtotal: 160,423 yen
Economic incentives of fraudstersPart 2: Cost of Bank Account/Books/Legal Stamps
Illegally purchased (includes legal stamp): 30,000-50,000 yen Mail order banks, internet banks are easier to create due to
lack of physical interaction Forged bank account names can be easily made since
katakana reading only is required when wiring money Subtotal: 40,000 yen
白井市蜜粉
“Shirai City Mitsuko”Submitted at applicationas name for ‘PTA BakingClub of Shirai City’
シライシミツコ (白石光子)
“Shi-Ra-I-Shi-Mi-Tsu-Ko” can be easily misconceived as a woman’s name,“Shiraishi Mitsuko”
カタカナ (Katakana) of theaccount nameis shown as only“Shi-Ra-I-Shi-Mi-Tsu-Ko”
Forged signed paper is sufficient
Economic incentives of fraudstersPart 3: Cost of Cellphones/Landline Telephones
Cellphones can be illegallypurchased: approx 35,000 yen
Non traceable if payment (7,685yen/month) is done atconvenience stores or prepaidinstead of bank drafts
Telephones such as popular”Tokyo 03” can be easilytransferred to other numbers toevade traceability: 840 yen/monthe.g. Symphonet Services Co.
Sub TOTAL: 137,300 yen/year
Economic incentives of fraudstersPart 4: Average cost/benefit analysis
Initial Investments: 616,517 yen on average (based on our measurements) Initial Facilities: 160,423 yen *Bank Accounts: 40,000 yen x 5.97 = 238,800 yen *Cellphones/Telephones: 137,300 yen x 1.58 = 216,934 yen
Income: 9,094,089 yen / case / year **2.6bil yen / 2,859cases = 9,094,089 yen/case
4.4 frauds/organization on average **2,859 cases / 657 persons = 4.351 cases/ person Very close to our findings (3.6 websites operated by each organization/person on average)
Organization’s income: 39,397,475 yen (9,094,089 * 4.4) – 616,517 = 39,397,475 yen (about $400K!)
Note: Somewhat pessimistic estimate – only takes into account frauds that were discovered, not
all frauds Actual number likely to be lower… … yet very significant!
*average numbers obtained from network analysis results**average from police reports of 2004-2008
Economic validation: actual arrests
DATE PREFECTURE CRIMINAL ORGANIZATION
MONETARY DAMAGES(total, Yen)
VICTIMS(total)
References
2004/2-2005/04/13
Osaka Nakanishi5 other
6 Billion 10,000+ http://blog.hitachi-net.jp/archives/18867382.html
2004/8-2005/11/08
Iwate Mori4 other
0.28 Billion 450+ http://www.yomiuri.co.jp/net/news/20051108nt03.htm
2005/8-2007/03/04
Saitama Matsushita 0.5 Billion 700+ http://blog.kogumaneko.tk/log/eid591.html
2006/7-2007/11/28
Chiba Ochiai6 other
3 Billion 3,400+ http://www.yomiuri.co.jp/net/security/s-news/20071128nt0c.htm
2007/7-2008/8/16
Yamaguchi Nagaoka5 other(2 Groups)
2.4 Billion 3500+ http://blog.kogumaneko.tk/log/eid1005.html
Police arrest reports disclosed to media show criminals can earn extremely large amounts of money in roughly 1-2 years
Legal remedies or lack thereof Hard to prosecute
Victim must make complaint but rarely do so (embarrassment factor)
Low penalty Fraudsters can be sentenced up to
10 years but generally less than 5 years
Repeat offenders! Syndicates do it for the thrill
so even if they finish their sentencethey have a high repeat rate
Once popular ‘Ore-Ore’ syndicates have finishedtheir 3-4 year sentences this 2009 so large increasein the same Fraud has already been observed by Police
Relatively hard to identify DNS servers are overseas, difficult to obtain actual registrant information Telephone numbers use transferring service Barring possession of an arrest warrant, police cannot obtain contact and network
information
Cases Arrest Sentence Fine (yen)
Osaka 4/2005 2.5 yrs 2,000,000
Kyoto 7/2005 2.5 yrs 300,000
Nara 7/2005 2 yrs 1,000,000
Lawyer Sakurai
1/2006 0 yrs 300,000
Conclusion
What makes One Click Fraud appealing? Fraudsters can readily exploit infrastructure vulnerabilities
▪ Lax cellphone registration practices▪ Forwarding services▪ Registrars turning a blind eye
Economically beneficial since low investment and high income Legal penalties are extremely low and not effective to curb crimes
Who is committing these crimes? Repeat offenders (potential criminal organizations?) control a vast
majority of the fraudulent sites Relatively low technological sophistication, although usage
of(relatively simple) malware observed Not much evidence of connections to other types of frauds
(except for spam), but deserves to be more fully investigated
Possible ways forward
One Click Fraud must be primarily addressed by non-technological means Economic balance far too much in favor of fraudsters
Policy Stop registration by use of DNS Blacklist or pressure DNS resellers Strengthen control over exploitable banks, cellphone contracts, etc
Law Increase legal actions for traceability of phone numbers Impose higher legal penalties
▪ Prison, but more importantly fines will increase expected attacker costs
Technology Increase IT literacy to avoid people panicking when faced with such
threats
Thank you!Nicolas Christin, Sally S. Yanagihara, and Keisuke Kamataki“Dissecting One Click Frauds” CyLab Technical Report CMU-CyLab-10-011.http://www.andrew.cmu.edu/user/nicolasc/papers.html
Amount of Money vs Time
0
50,000
100,000
150,000
200,000
2006/1/1 2006/7/20 2007/2/5 2007/8/24 2008/3/11 2008/9/27 2009/4/15 2009/11/1
Time
Am
ou
nt
of
Mo
ne
y
Registration Fee vs Time
•Registration fees concentrate at 50,000 yen•Time and Japanese economic conditions do not seem to affect price
Malware: HTA Module
.hta format tool that persistently show “Please Pay Registration Fee” window
Persistently show window even if ‘x’ is clicked and when PC is rebooted
Does not collect data Cause of sudden increase of calls to
police and IPA Help Desk in May, 2009
First seen on April 7th, 2009 Recently seen on Oct 12th, 2009 Many anti-virus applications prevent
.hta module downloads from July, 2009
Groups could not be distinguished by collected attributes
Other analysis such as .hta module code comparison are required
Top Related