Dissecting One Click Frauds

Nicolas Christin, CMU INI/CyLabSally S. Yanagihara, CMU INI/CyLabKeisuke Kamataki, CMU CS/LTI

What is “One Click Fraud”? Pervasive online fraud

found in Japan since 2004

Victim clicks on a (innocuous) HTML link email, website, or SMS

variants … only to be told they

entered a binding contract…

… and are required to pay a nominal fee or “legal actions” would be taken

One Click Contracts/Frauds, Wikipedia http://ja.wikipedia.org/wiki/ ワンクリック詐欺

Why do victims pay?

One Click Frauds, http://support.zaq.ne.jp/security/oneclick5.html

Show IP address and a notice that “contact information has been recorded”

Show victim sample of the billing statement that will be sent to the home (postcard with pornographic picture)

Fear of loss of reputation!

Problem importance

Quite large monetary impact Roughly 2.6 billion yen (~30 million US dollars)

annually since 2004*

Disclosure of victim’s private information and payment are leaked within the underground community and exposes victims to more frauds**

Actual market size, damages, and number of victims are unknown due to embarrassment factor Only 2,859 cases (657 arrests) are solved each year

*Japan Police Force Annual Report 2004-2009 **http://journal.mycom.co.jp/articles/2009/04/24/adultsite1/index.html

A persisting plague

Filed incidents to police show rise since emergence in 2004

IPA Helpdesk shows record high for “One Click Fraud”

Although shown effective in 2007, police efforts and mandated laws are not applicable measures for fraud prevention today

Monetary Damages

0

500

1,000

1,500

2,000

2,500

3,000

2004 2005 2006 2007 2008 2009 (1-10)Year

Mill

ion

Ye

n

Arrest Cases

0

1,000

2,000

3,000

4,000

5,000

2004 2005 2006 2007 2008 2009 (1-10)Year

Ca

se

sArrested Persons

0

200

400

600

800

1,000

2004 2005 2006 2007 2008 2009 (1-10)Year

Pe

rso

n

c

Calls to IPA Relative to One Click Frauds<Aug-2005 to Oct-2009>

80108138174

131151204223

130

233287316

205

369

264

157

372

457

305

194

355

503572

628694

2825

793

650697

654

268185

285243

144

651

545

168155 155

236270

43

320

165211

210

330316

0

100

200

300

400

500

600

700

800

900

Se

pt

Oct

No

vD

ec

Jan

Fe

bM

ar

Ap

rilM

ay

Jun

eJu

lyA

ug

Se

pt

Oct

No

vD

ec

Jan

Fe

bM

ar

Ap

rilM

ay

Jun

eJu

lyA

ug

Se

pt

Oct

No

vD

ec

Jan

Fe

bM

ar

Ap

rilM

ay

Jun

eJu

lyA

ug

Se

pt

Oct

No

vD

ec

Jan

Fe

bM

ar

Ap

rilM

ay

Jun

eJu

lyA

ug

Se

pt

Oct

2006 2007 2008 2009[Month/Year]

[Ca

lls to

IPA

]

Japan Police Force Annual Report 2004-2009

Research questions

What makes One Click Fraud easy to perpetrate? What vulnerabilities do we have in our infrastructure? How are criminals exploiting those vulnerabilities?

Who is committing these crimes? “Random crooks”, or… … is there evidence of any organized criminal

activity?▪ Do they operate in groups?▪ Can they be linked to other forms of online crime?

How should we address this problem?▪ Technological vs. economical vs. legal remedies

Collecting instances of One Click Frauds

Source of data: “vigilante” websites posting information about frauds

2 Channel (２ちゃんねる 掲示板 ) http://society6.2ch.net/test/read.cgi/police/1215642976 Japan’s largest BBS provides information on multiple topics We focus on the ‘One Click Fraud’ posts Potential difficulty: posts made using natural language, lots of noise, potentially

hard to parse automatically

Koguma-neko Teikoku ( こぐまねこ帝国 ) http://kogumaneko.tk/ Privately owned website providing consumer information and Internet-related

helpdesks Structured reports, parsing easy

Wan-Cli Zukan ( ワンクリ図鑑 ) http://zukan.269g.net/ Privately owned website posting specifically One Click Fraud websites Structured reports, parsing easy

Data collection methodology

Strip reports of following attributes and store into mysql database URL Bank account ID Bank account name* Bank branch name Bank name Phone number DNS information

▪ Registrar info▪ Double DNS-reverse DNS

lookup Required amount

Unforgeable Attributes*

[2ch Example]*Bank Account owner’s name can be falsified but account is genuine (not false)

Two-dimensional analysis

DNS information (registrars, name servers)

Phone numbers used

Bank accounts used

Fraud amount

1. Look for patterns across frauds in:

Two-dimensional analysis

DNS information (registrars, name servers)

Phone numbers used

Bank accounts used

Fraud amount

2. Draw correlations to link several frauds to same perpetrators

Website 1

Website 2

Common bank

account!

Syndicate's Registration Fee (Top 10)

54 46

10998

283

6647

92

119142

0

50

100

150

200

250

300

5,00

0

35,0

00

40,0

00

45,0

00

50,0

00

55,0

00

60,0

00

80,0

00

90,0

00

100,

000

Amount of Money (Yen)

We

bs

ite

Co

un

t

Fraud Amount

Registration fee are primarily at 50,000 yen (USD $500)

Matches average Japanese businessmen monthly allowance* (45,600 yen)!

*In Japan, usually the wife does the household accounting and provides the husband with an allowance to cover food, etc

Fraud amount (top 10 most common)

Syndicate's Telephone Share

au38.6%

Softbank23.3%

TokyoPref.

16.5%

Free Dial10.5%

Docomo10.3%

OsakaPref.0.4%

HyogoPref.0.4%

GunmaPref.0.2%

Japan Cellphone Market Share 2009

NTTDocomo

48.5%

au27.4%

Softbank18.5%

Willcom4.0%

eMobile1.5%

Phone numbers used

“au (by KDDI)” may have lax restrictions for new contracts Tokyo ’03-***’ numbers may be numbers using transfer services

Fraudsters’ phone numbers

Bank accounts used

No “smoking gun” here Internet banks make it easier to create bank

accounts since there is no physical interaction More prone to abuse

Syndicate's Bank Count (Top 10)

eBank4%

MitsubishiTokyo

UFJ Bank12% Shinsei

Bank13%

MitsuiSumitomo

Bank14%

SevenBank17%

MizuhoBank16%

JapanNetBank4%

RisonaBank6%

TokyoTominBank8%

Tokyo StarBank6%

Japan Bank Market 2009 (Top 8)

MizuhoFinancial

Group20%

AozoraBank1%

SumitomoTrust &Banking

Co.3%

Chuou MitsuiTrust &

Banking Co.2%

Japan PostBank Co.

26% SumitomoMitsui

FinancialGroup16%

RisonaHoldings

Inc.5%

Mitsui(Tokyo)

UFJFinancial

Group25%

ShinseiBank2%

Bank accounts used in frauds

Syndicate's Top 10 Registrar

TUCOWS INC.4%

KEY-SYSTEMSGMBH

3%

ABDOMAINATIONS

1%

NEW DREAMNETWORK, LLC

2%

ALLEARTHDOMAINS1% DOTSTER

1%

MONIKER1%

ABOVE, INC.6%

GODADDY.COM,INC.5%

GMO INTERNET,INC.20%

ENOM, INC.56%

Global Top 10 Registrar

SCHLUND+PARTNER6%

MELBOURNE IT6%

MONIKER3%

WILD WESTDOMAINS

4%

REGISTER.COM3%

PUBLIC DOMAINREGISTRY

3%

KEY-SYSTEMS2%

TUCOWS9%

NETWORKSOLUTIONS

8%ENOM INC.

11%

GO DADDY40%

ONLINENIC1% FABULOUS.COM

1%DOTSTER1%

XINNET.COM2%

DNS registrars

Evidence of a bias Is this due to lack of enforcement? Questionable subcontracting? (Resellers)

Fraudulent websites’ registrars

Syndicate's DNS Resellers

37

1612

8

3 2 2 2 1 1 1 1 1 1 1 1 1 1 1 1 1 10

5

10

15

20

25

30

35

40

DNS Resellers/Name Servers

Cou

nt

DNS resellers/Web hosting services

Fraudsters choice of DNS Reseller can be defined by grouping Name Servers Very often also offer

web hosting services Maido3.com is reseller

of TuCows Inc Value-Domain.com is

reseller of Enom Inc DreamHost.com is

reseller/branch of New Dream Network LLC

Intermediate summary

Fraud amount Grouped at 50,000yen Not affected by time or by the Japanese

economy conditions Cellphones, Telephones

“au (KDDI)” brand cellphones may have lax contracting restrictions

Tokyo “03-**” number probably due to phone number transfer services

Bank accounts No “smoking gun” Internet banks are easier to create fraud

accounts possibly due to no physical interaction

DNS Registrars and web hosting services Biased to specific DNS vendors DNS vendor resellers can be found by

registered Name Server

DNS Registrar

Phone Numbers

Bank Accounts

Registration Fee

1. Look for patterns across frauds in:

Linking different frauds to same groups

Phone number

AccountID

URL

Organized criminal groups

Identified (at most) 105 organized criminal groups On average, each group

maintains 4.65 websites 6.65 bank accounts 2.01 phone numbers

A few “syndicates” seem responsible for most of the frauds

Maintained Websites per Syndicate

56

33

232020

1716

11988877777665555544444444444333333333333322222222222222222222222221111111111111111111111111111111

0

10

20

30

40

50

60G

1

G78

G55

G14

G88

G21 G3

G29

G61

G10

G41

G72 G8

G27

G53

G75

G91

G97

G10

4

G13

G38

G48

G62

G67

G77

G84

Groups

We

bs

ite

sNumber of maintained sites by group

“Trojan.HachiLem” Malware

A family of scams actually contain some malware (in the form of downloadable “video”)

Trojan in .exe format Collects email addresses in

Outlook Express and Becky! Sends information back to

“hachimitsu-lemon.com” server▪ Has been taken down for a

while Information used to

blackmail to victims notifying them they “owe” registration fees

Recently seen on Oct 26th, 2009

“Relatively” harmless

Hypothesis: same criminal organization? Correlated by identical “Technical Contact

Phone Number” in WHOIS information(+81-6-6241-6585)

Do they also spam?

Checked multiple DNS blacklists for a subset of our results 380 domain tested 247 still resolved 134 unique IP addresses

Other DB tested: spamcop, njabl, manitu, … (0 hits) Some spamming but not pervasive

Mostly coming from parked domains Spam is in Japanese and is not well reported to these DB ops?

dnsbl.sorbs.net Bulk senders 4/134

spam.dnsbl.sorbs.net Spam to admins 21/134

zen.spamhaus.org Combined DB 10/134

L2.apews.org Spam or spam-friendly

42/134

2 or more 12/134

3 or more 2/134

Economic incentives of fraudstersPart 1: Equipment costs

Facilities EeePC (900X): 28,000yen Yahoo!BB (ADSL 8M): 3,379 yen/month

Rental Servers Maido3.com (Starter Pack)

▪ Domain Registration fee : FREE▪ Server Setup fee: 3,675 yen▪ Advanced payment (3months): 7,350 * 3 = 22,050 yen

DNS Registration OpenDNS

▪ Registration fee: FREE Subtotal: 160,423 yen

Economic incentives of fraudstersPart 2: Cost of Bank Account/Books/Legal Stamps

Illegally purchased (includes legal stamp): 30,000-50,000 yen Mail order banks, internet banks are easier to create due to

lack of physical interaction Forged bank account names can be easily made since

katakana reading only is required when wiring money Subtotal: 40,000 yen

白井市蜜粉

“Shirai City Mitsuko”Submitted at applicationas name for ‘PTA BakingClub of Shirai City’

シライシミツコ （白石光子）

“Shi-Ra-I-Shi-Mi-Tsu-Ko” can be easily misconceived as a woman’s name,“Shiraishi Mitsuko”

カタカナ (Katakana) of theaccount nameis shown as only“Shi-Ra-I-Shi-Mi-Tsu-Ko”

Forged signed paper is sufficient

Economic incentives of fraudstersPart 3: Cost of Cellphones/Landline Telephones

Cellphones can be illegallypurchased: approx 35,000 yen

Non traceable if payment (7,685yen/month) is done atconvenience stores or prepaidinstead of bank drafts

Telephones such as popular”Tokyo 03” can be easilytransferred to other numbers toevade traceability: 840 yen/monthe.g. Symphonet Services Co.

Sub TOTAL: 137,300 yen/year

Economic incentives of fraudstersPart 4: Average cost/benefit analysis

Initial Investments: 616,517 yen on average (based on our measurements) Initial Facilities: 160,423 yen *Bank Accounts: 40,000 yen x 5.97 = 238,800 yen *Cellphones/Telephones: 137,300 yen x 1.58 = 216,934 yen

Income: 9,094,089 yen / case / year **2.6bil yen / 2,859cases = 9,094,089 yen/case

4.4 frauds/organization on average **2,859 cases / 657 persons = 4.351 cases/ person Very close to our findings (3.6 websites operated by each organization/person on average)

Organization’s income: 39,397,475 yen (9,094,089 * 4.4) – 616,517 = 39,397,475 yen (about $400K!)

Note: Somewhat pessimistic estimate – only takes into account frauds that were discovered, not

all frauds Actual number likely to be lower… … yet very significant!

*average numbers obtained from network analysis results**average from police reports of 2004-2008

Economic validation: actual arrests

DATE PREFECTURE CRIMINAL ORGANIZATION

MONETARY DAMAGES(total, Yen)

VICTIMS(total)

References

2004/2-2005/04/13

Osaka Nakanishi5 other

6 Billion 10,000+ http://blog.hitachi-net.jp/archives/18867382.html

2004/8-2005/11/08

Iwate Mori4 other

0.28 Billion 450+ http://www.yomiuri.co.jp/net/news/20051108nt03.htm

2005/8-2007/03/04

Saitama Matsushita 0.5 Billion 700+ http://blog.kogumaneko.tk/log/eid591.html

2006/7-2007/11/28

Chiba Ochiai6 other

3 Billion 3,400+ http://www.yomiuri.co.jp/net/security/s-news/20071128nt0c.htm

2007/7-2008/8/16

Yamaguchi Nagaoka5 other(2 Groups)

2.4 Billion 3500+ http://blog.kogumaneko.tk/log/eid1005.html

Police arrest reports disclosed to media show criminals can earn extremely large amounts of money in roughly 1-2 years

Legal remedies or lack thereof Hard to prosecute

Victim must make complaint but rarely do so (embarrassment factor)

Low penalty Fraudsters can be sentenced up to

10 years but generally less than 5 years

Repeat offenders! Syndicates do it for the thrill

so even if they finish their sentencethey have a high repeat rate

Once popular ‘Ore-Ore’ syndicates have finishedtheir 3-4 year sentences this 2009 so large increasein the same Fraud has already been observed by Police

Relatively hard to identify DNS servers are overseas, difficult to obtain actual registrant information Telephone numbers use transferring service Barring possession of an arrest warrant, police cannot obtain contact and network

information

Cases Arrest Sentence Fine (yen)

Osaka 4/2005 2.5 yrs 2,000,000

Kyoto 7/2005 2.5 yrs 300,000

Nara 7/2005 2 yrs 1,000,000

Lawyer Sakurai

1/2006 0 yrs 300,000

Conclusion

What makes One Click Fraud appealing? Fraudsters can readily exploit infrastructure vulnerabilities

▪ Lax cellphone registration practices▪ Forwarding services▪ Registrars turning a blind eye

Economically beneficial since low investment and high income Legal penalties are extremely low and not effective to curb crimes

Who is committing these crimes? Repeat offenders (potential criminal organizations?) control a vast

majority of the fraudulent sites Relatively low technological sophistication, although usage

of(relatively simple) malware observed Not much evidence of connections to other types of frauds

(except for spam), but deserves to be more fully investigated

Possible ways forward

One Click Fraud must be primarily addressed by non-technological means Economic balance far too much in favor of fraudsters

Policy Stop registration by use of DNS Blacklist or pressure DNS resellers Strengthen control over exploitable banks, cellphone contracts, etc

Law Increase legal actions for traceability of phone numbers Impose higher legal penalties

▪ Prison, but more importantly fines will increase expected attacker costs

Technology Increase IT literacy to avoid people panicking when faced with such

threats

Thank you!Nicolas Christin, Sally S. Yanagihara, and Keisuke Kamataki“Dissecting One Click Frauds” CyLab Technical Report CMU-CyLab-10-011.http://www.andrew.cmu.edu/user/nicolasc/papers.html

Amount of Money vs Time

0

50,000

100,000

150,000

200,000

2006/1/1 2006/7/20 2007/2/5 2007/8/24 2008/3/11 2008/9/27 2009/4/15 2009/11/1

Time

Am

ou

nt

of

Mo

ne

y

Registration Fee vs Time

•Registration fees concentrate at 50,000 yen•Time and Japanese economic conditions do not seem to affect price

Malware: HTA Module

.hta format tool that persistently show “Please Pay Registration Fee” window

Persistently show window even if ‘x’ is clicked and when PC is rebooted

Does not collect data Cause of sudden increase of calls to

police and IPA Help Desk in May, 2009

First seen on April 7th, 2009 Recently seen on Oct 12th, 2009 Many anti-virus applications prevent

.hta module downloads from July, 2009

Groups could not be distinguished by collected attributes

Other analysis such as .hta module code comparison are required