Transcript Dissecting One Click Fraud

Nicolas Christin, CMU INI/CyLab
Sally S. Yanagihara, CMU INI/CyLab
Keisuke Kamataki, CMU CS/LTI
Pervasive online fraud
found in Japan since
2004
 Victim clicks on a
(innocuous) HTML link

 email, website, or SMS
variants
… only to be told they
entered a binding
contract…
 … and are required to
pay a nominal fee or
“legal actions” would be
taken

One Click Contracts/Frauds, Wikipedia http://ja.wikipedia.org/wiki/ワンクリック詐欺
Fear of loss of reputation!
Show IP address and a notice that
“contact information has been
recorded”
Show victim sample of the
billing statement that will be
sent to the home (postcard with
pornographic picture)
One Click Frauds, http://support.zaq.ne.jp/security/oneclick5.html

Quite large monetary impact
 Roughly 2.6 billion yen (~30 million US dollars) annually
since 2004*

Disclosure of victim’s private information and
payment are leaked within the underground
community and exposes victims to more frauds**

Actual market size, damages, and number of victims
are unknown due to embarrassment factor
 Only 2,859 cases (657 arrests) are solved each year
*Japan Police Force Annual Report 2004-2009
**http://journal.mycom.co.jp/articles/2009/04/24/adultsite1/index.html
Monetary Damages


545
457
2006
Year
2007
2008
2009 (1-10)
2007
2008
2009 (1-10)
2008
2009 (1-10)
Arrest Cases
4,000
3,000
2,000
2008
Japan Police Force Annual Report 2004-2009
2004
2005
2006
Year
Arrested Persons
305
355
800
243
194
144
Person
372
369
330
320
316 316
287 285 270264
268
236 233
211 223
300
168
204 155
205
185
165174 210 155
157
151
200
138 131
130
108
80
43
25
100
28
0
400
0
1,000
Sept
Oct
Nov
Dec
Jan
Feb
Mar
April
May
June
July
Aug
Sept
Oct
Nov
Dec
Jan
Feb
Mar
April
May
June
July
Aug
Sept
Oct
Nov
Dec
Jan
Feb
Mar
April
May
June
July
Aug
Sept
Oct
Nov
Dec
Jan
Feb
Mar
April
May
June
July
Aug
Sept
Oct
[Calls to IPA]
2005
5,000
793
697
694 650
628 654
572
503
651
700
2007 [Month/Year]
1,000
1,000
800
2006
1,500
2004
900
500
2,000
0
Calls to IPA Relative to One Click Frauds
<Aug-2005 to Oct-2009>
600
2,500
500
Cases

Filed incidents to police show rise
since emergence in 2004
IPA Helpdesk shows record high
for “One Click Fraud”
Although shown effective in 2007,
police efforts and mandated laws
are not applicable measures for
fraud prevention today
Million Yen
3,000
2009
600
c
400
200
0
2004
2005
2006
Year 2007

What makes One Click Fraud easy to perpetrate?
 What vulnerabilities do we have in our infrastructure?
 How are criminals exploiting those vulnerabilities?

Who is committing these crimes?
 “Random crooks”, or…
 … is there evidence of any organized criminal activity?
▪ Do they operate in groups?
▪ Can they be linked to other forms of online crime?

How should we address this problem?
▪ Technological vs. economical vs. legal remedies

Source of data: “vigilante” websites posting information about frauds

2 Channel (２ちゃんねる 掲示板) http://society6.2ch.net/test/read.cgi/police/1215642976




Koguma-neko Teikoku (こぐまねこ帝国) http://kogumaneko.tk/



Japan’s largest BBS provides information on multiple topics
We focus on the ‘One Click Fraud’ posts
Potential difficulty: posts made using natural language, lots of noise, potentially hard to parse
automatically
Privately owned website providing consumer information and Internet-related helpdesks
Structured reports, parsing easy
Wan-Cli Zukan (ワンクリ図鑑) http://zukan.269g.net/


Privately owned website posting specifically One Click Fraud websites
Structured reports, parsing easy

Strip reports of following
attributes and store into
mysql database







URL
Bank account ID
Bank account name*
Bank branch name
Bank name
Phone number
DNS information
Unforgeable
Attributes*
▪ Registrar info
▪ Double DNS-reverse DNS
lookup
 Required amount
[2ch Example]
*Bank Account owner’s name can be falsified but
account is genuine (not false)
1. Look for patterns across frauds in:
Fraud amount
Bank accounts used
Phone numbers used
DNS information (registrars, name servers)
2. Draw correlations to link several frauds to same perpetrators
Fraud amount
Common bank
Bank accounts used account!
Website 1
Phone numbers used
Website 2
DNS information (registrars, name servers)
Registration fee are
primarily at 50,000 yen
(USD $500)
 Matches average
Japanese businessmen
monthly allowance*
(45,600 yen)!

amount
Syndicate's Fraud
Registration
Fee (Top 10)
(top 10 most common)
283
300
Website Count
250
200
142
150
109
119
98
92
100
50
54 46
66
47
*In Japan, usually the wife does the household
accounting and provides the husband with an
allowance to cover food, etc
5,
00
0
35
,0
00
40
,0
00
45
,0
00
50
,0
00
55
,0
00
60
,0
00
80
,0
00
90
,0
0
10 0
0,
00
0
0
Amount of Money (Yen)
Fraudsters’
phone numbers
Syndicate's Telephone
Share
Hyogo
Pref.
0.4%
Docomo
10.3%
Osaka
Pref.
0.4%
Free Dial
10.5%
Japan Cellphone Market Share 2009
eMobile
1.5%
Gunma
Pref.
0.2%
au
38.6%
Willcom
4.0%
Softbank
18.5%
NTT
Docomo
48.5%
Tokyo
Pref.
16.5%
Softbank
23.3%


au
27.4%
“au (by KDDI)” may have lax restrictions for new contracts
Tokyo ’03-***’ numbers may be numbers using transfer services
Syndicate's
Bank Count
10)
Bank accounts
used (Top
in frauds
Tokyo
Tomin
Bank
8%
Tokyo Star
Bank
6%
Mizuho
Bank
16%
Chuou Mitsui
Sumitomo Trust &
Trust & Banking Co.
2%
JapanNet eBank
4%
Bank
4%
Banking
Co.
3%
Seven
Bank
17%
Risona
Bank
6%
Mitsubishi
Tokyo
UFJ Bank
12%


Japan Bank Market 2009 (Top 8)
Shinsei
Bank
13%
Mitsui
Sumitomo
Bank
14%
Shinsei
Bank
2%
Aozora
Bank Mitsui
1% (Tokyo)
UFJ
Financial
Group
25%
Risona
Holdings
Inc.
5%
Japan Post
Bank Co.
Sumitomo
26%
Mitsui
Financial
Group
16%
Mizuho
Financial
Group
20%
No “smoking gun” here
Internet banks make it easier to create bank accounts
since there is no physical interaction
 More prone to abuse
Global Top 10 Registrar
Registrar
Top 10 registrars
Syndicate's
Fraudulent
websites’
NEW DREAM
ALLEARTHDOMAI
NETWORK, LLC
NS
ABDOMAINATION
2%
1%
S
1%
KEY-SYSTEMS
GMBH
TUCOWS INC.
3%
4%
KEY-SYSTEMS
2%
PUBLIC DOMAIN
REGISTRY
3%
REGISTER.COM
3%
DOTSTER
1%
MONIKER
1%
XINNET.COM
2%
DOTSTER
1%
ONLINENIC
1%
FABULOUS.COM
1%
MONIKER
3%
GODADDY.COM,
INC.
5%
WILD WEST
DOMAINS
4%
ABOVE, INC.
6%
GO DADDY
40%
MELBOURNE IT
6%
ENOM, INC.
56%
GMO INTERNET,
INC.
20%
SCHLUND+PARTN
ER
6%
NETWORK
SOLUTIONS
8%
TUCOWS
9%

Evidence of a bias


Is this due to lack of enforcement?
Questionable subcontracting? (Resellers)
ENOM INC.
11%
Fraudsters choice of
DNS Reseller can be
defined by grouping
Name Servers
hosting services
 Maido3.com is reseller of
TuCows Inc
 Value-Domain.com is
reseller of Enom Inc
 DreamHost.com is
reseller/branch of New
Dream Network LLC
40 37
35
30
25
20
15
10
5
0
16
12
8
3222
11111111111111
value mai do3
.c
-d
drea omai n.com
m
h st . om
c
fr ee-mixedmo
pass edia.om
movi net
e.c
dnsvom
x.jp
tr e
80coll ian.com
nspe de. com
er12
3.
dayn
b
ame odis. cobiz
ser ve
m
r.com
e
fabu asily.ne
lous.
comt
f
hostr c2. co
isaacamall .com
host. m
nam
ebri g midy2.ccom
htdo
ns.coom
pixl lm
all .com
m
ser
vervesrsplusver .jp
hosti .com
ng.co
m
 Very often also offer web
Syndicate's DNS Resellers
Count

DNS Resellers/Name Servers
1. Look for patterns across frauds in:
Registration Fee

Fraud amount
 Grouped at 50,000yen
 Not affected by time or by the Japanese
Bank Accounts
economy conditions

Cellphones, Telephones
 “au (KDDI)” brand cellphones may have lax
Phone Numbers
contracting restrictions
 Tokyo “03-**” number probably due to phone
number transfer services
DNS Registrar

Bank accounts
 No “smoking gun”
 Internet banks are easier to create fraud
accounts possibly due to no physical
interaction

DNS Registrars and web hosting services
 Biased to specific DNS vendors
 DNS vendor resellers can be found by
registered Name Server
URL
AccountID
Phone number
Maintained Websites per Syndicate
Number
of maintained sites by group
60 56
50
Websites
40
33
30
23
20
20
17
16
11
9888
7777766
5555544444444444
33333333333332222222222222222222222222
1111111111111111111111111111111
20
10
Groups


Identified (at most) 105 organized criminal groups
On average, each group




maintains 4.65 websites
6.65 bank accounts
2.01 phone numbers
A few “syndicates” seem responsible for most of the frauds
G84
G77
G67
G62
G48
G38
G13
G97
G104
G91
G75
G53
G8
G27
G72
G41
G10
G61
G3
G29
G21
G88
G14
G55
G1
G78
0


A family of scams actually
contain some malware (in the
form of downloadable
“video”)
Trojan in .exe format


Collects email addresses in
Outlook Express and Becky!
Sends information back to
“hachimitsu-lemon.com” server
▪
Has been taken down for a while
Information used to blackmail
to victims notifying them they
“owe” registration fees
 Recently seen on Oct 26th,
2009
 “Relatively” harmless



Hypothesis: same criminal organization?
Correlated by identical “Technical Contact
Phone Number” in WHOIS information(+816-6241-6585)




Checked multiple DNS blacklists for a subset of our results
380 domain tested
247 still resolved
134 unique IP addresses
dnsbl.sorbs.net
Bulk senders
4/134
spam.dnsbl.sorbs.net
Spam to admins
21/134
zen.spamhaus.org
Combined DB
10/134
L2.apews.org
Spam or spam-friendly
42/134
2 or more
12/134
3 or more
2/134


Other DB tested: spamcop, njabl, manitu, … (0 hits)
Some spamming but not pervasive


Mostly coming from parked domains
Spam is in Japanese and is not well reported to these DB ops?

Facilities
 EeePC (900X): 28,000yen
 Yahoo!BB (ADSL 8M): 3,379 yen/month

Rental Servers
 Maido3.com (Starter Pack)
▪ Domain Registration fee : FREE
▪ Server Setup fee: 3,675 yen
▪ Advanced payment (3months): 7,350 * 3 = 22,050 yen

DNS Registration
 OpenDNS
▪ Registration fee: FREE

Subtotal: 160,423 yen
Illegally purchased (includes legal stamp): 30,000-50,000 yen
Mail order banks, internet banks are easier to create due to lack of
physical interaction
 Forged bank account names can be easily made since
katakana reading only is required when wiring money
 Subtotal: 40,000 yen


白井市蜜粉
“Shirai City Mitsuko”
Submitted at application
as name for ‘PTA Baking
Club of Shirai City’
Forged signed paper is
sufficient
シライシミツコ
カタカナ(Katakana) of the
account name
is shown as only
“Shi-Ra-I-Shi-Mi-Tsu-Ko”
（白石光子）
“Shi-Ra-I-Shi-Mi-TsuKo” can be easily
misconceived as a
woman’s name,
“Shiraishi Mitsuko”
Cellphones can be illegally
purchased: approx 35,000 yen
 Non traceable if payment
(7,685yen/month) is done at
convenience stores or prepaid
instead of bank drafts
 Telephones such as popular
”Tokyo 03” can be easily
transferred to other numbers
to
evade traceability: 840
yen/month
e.g. Symphonet Services Co.
 Sub TOTAL: 137,300 yen/year


Initial Investments: 616,517 yen on average (based on our measurements)




Income: 9,094,089 yen / case / year


**2,859 cases / 657 persons = 4.351 cases/ person
Very close to our findings (3.6 websites operated by each organization/person on average)
Organization’s income: 39,397,475 yen


**2.6bil yen / 2,859cases = 9,094,089 yen/case
4.4 frauds/organization on average



Initial Facilities: 160,423 yen
*Bank Accounts: 40,000 yen x 5.97 = 238,800 yen
*Cellphones/Telephones: 137,300 yen x 1.58 = 216,934 yen
(9,094,089 * 4.4) – 616,517 = 39,397,475 yen (about $400K!)
Note:

Somewhat pessimistic estimate – only takes into account frauds that were discovered, not all
frauds
Actual number likely to be lower…
… yet very significant!


*average numbers obtained from network analysis results
**average from police reports of 2004-2008
DATE
PREFECTURE
CRIMINAL
ORGANIZATION
MONETARY
DAMAGES
(total, Yen)
VICTIMS
(total)
References
2004/22005/04/13
Osaka
Nakanishi
5 other
6 Billion
10,000+
http://blog.hitachinet.jp/archives/18867382.
html
2004/82005/11/08
Iwate
Mori
4 other
0.28 Billion
450+
http://www.yomiuri.co.jp/n
et/news/20051108nt03.ht
m
2005/82007/03/04
Saitama
Matsushita
0.5 Billion
700+
http://blog.kogumaneko.tk/
log/eid591.html
2006/72007/11/28
Chiba
Ochiai
6 other
3 Billion
3,400+
http://www.yomiuri.co.jp/n
et/security/snews/20071128nt0c.htm
2007/72008/8/16
Yamaguchi
Nagaoka
5 other
(2 Groups)
2.4 Billion
3500+
http://blog.kogumaneko.tk/
log/eid1005.html

Police arrest reports disclosed to media show criminals can earn extremely large amounts of
money in roughly 1-2 years

Hard to prosecute


Low penalty


Fraudsters can be sentenced up to
10 years but generally less than 5 years
Repeat offenders!



Victim must make complaint but rarely do so (embarrassment factor)
Cases
Arrest
Sentence
Fine (yen)
Osaka
4/2005
2.5 yrs
2,000,000
Kyoto
7/2005
2.5 yrs
300,000
Nara
7/2005
2 yrs
1,000,000
1/2006
0 yrs
300,000
Syndicates do it for the thrill
Lawyer
so even if they finish their sentence
Sakurai
they have a high repeat rate
Once popular ‘Ore-Ore’ syndicates have finished
their 3-4 year sentences this 2009 so large increase
in the same Fraud has already been observed by Police
Relatively hard to identify



DNS servers are overseas, difficult to obtain actual registrant information
Telephone numbers use transferring service
Barring possession of an arrest warrant, police cannot obtain contact and network information

What makes One Click Fraud appealing?
 Fraudsters can readily exploit infrastructure vulnerabilities
▪ Lax cellphone registration practices
▪ Forwarding services
▪ Registrars turning a blind eye
 Economically beneficial since low investment and high income
 Legal penalties are extremely low and not effective to curb crimes

Who is committing these crimes?
 Repeat offenders (potential criminal organizations?) control a vast
majority of the fraudulent sites
 Relatively low technological sophistication, although usage
of(relatively simple) malware observed
 Not much evidence of connections to other types of frauds (except for
spam), but deserves to be more fully investigated

One Click Fraud must be primarily addressed by non-technological means
 Economic balance far too much in favor of fraudsters

Policy
 Stop registration by use of DNS Blacklist or pressure DNS resellers
 Strengthen control over exploitable banks, cellphone contracts, etc

Law
 Increase legal actions for traceability of phone numbers
 Impose higher legal penalties
▪ Prison, but more importantly fines will increase expected attacker costs

Technology
 Increase IT literacy to avoid people panicking when faced with such threats
Nicolas Christin, Sally S. Yanagihara, and Keisuke Kamataki
“Dissecting One Click Frauds” CyLab Technical Report CMU-CyLab-10-011.
http://www.andrew.cmu.edu/user/nicolasc/papers.html
Amount of Money vs Time
•Registration fees concentrate at 50,000
yen
•Time and Japanese economic conditions
do not seem to affect price
Amount of Money
200,000
150,000
100,000
50,000
0
2006/1/1
2006/7/20
2007/2/5
2007/8/24
2008/3/11
Time
2008/9/27
2009/4/15
2009/11/1
 .hta format tool that persistently
show “Please Pay Registration Fee”
window








Persistently show window even if ‘x’ is clicked
and when PC is rebooted
Does not collect data
Cause of sudden increase of calls to police and
IPA Help Desk in May, 2009
First seen on April 7th, 2009
Recently seen on Oct 12th, 2009
Many anti-virus applications prevent .hta
module downloads from July, 2009
Groups could not be distinguished by
collected attributes
Other analysis such as .hta module code
comparison are required