1 / 32

Dissecting One Click Frauds

Nicolas Christin, CMU INI/ CyLab Sally S. Yanagihara , CMU INI/ CyLab Japan Keisuke Kamataki , CMU CS/LTI. Dissecting One Click Frauds. What is “One Click Fraud”?. Pervasive online fraud found in Japan since 2004 “as seen on TV!” Victim clicks on a (innocuous) HTML link

meara
Download Presentation

Dissecting One Click Frauds

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Nicolas Christin, CMU INI/CyLab Sally S. Yanagihara, CMU INI/CyLab Japan Keisuke Kamataki, CMU CS/LTI Dissecting One Click Frauds

  2. What is “One Click Fraud”? • Pervasive online fraud found in Japan since 2004 • “as seen on TV!” • Victim clicks on a (innocuous) HTML link • email, website, or SMS variants • … only to be told they entered a binding contract… • … and are required to pay a nominal fee or “legal actions” would be taken • Japanese cousin of scareware scams One Click Contracts/Frauds, Wikipedia http://ja.wikipedia.org/wiki/ワンクリック詐欺

  3. Why do victims pay? Fear of embarrassment, divorce, public shame, loss of job… Show IP address and a notice that “contact information has been recorded” Show victim sample of the billing statement that will be sent to the home (postcard with pornographic picture) One Click Frauds, http://support.zaq.ne.jp/security/oneclick5.html

  4. Problem importance • Quite large monetary impact • Roughly 2.6 billion yen (~30 million US dollars) annually since 2004* • Victim’s private information and payment are shared within the underground community and exposes victims to more frauds** • Actual market size, damages, and number of victims are unknown due to embarrassment factor • Only 2,859 cases (657 arrests) are solved on average each year • Persistent plague over the 4 years we looked at (2006-2009) *Japan Police Force Annual Report 2004-2009**http://journal.mycom.co.jp/articles/2009/04/24/adultsite1/index.html

  5. Research questions • What makes One Click Fraud easy to perpetrate? • What vulnerabilities do we have in our infrastructure? • How are criminals exploiting those vulnerabilities? • Who is committing these crimes? • “Random crooks”, or… • … is there evidence of any organized criminal activity? • Do they operate in groups? • Can they be linked to other forms of online crime? • How should we address this problem? • Technological vs. economical vs. legal remedies

  6. Collecting instances of One Click Frauds • Source of data: “vigilante” websites posting information about frauds • 2 Channel (2ちゃんねる 掲示板) http://society6.2ch.net/test/read.cgi/police/1215642976 • Japan’s largest BBS • We focus on the ‘One Click Fraud’ posts • Potential difficulty: posts made using natural language, lots of noise, potentially hard to parse automatically • Koguma-neko Teikoku (こぐまねこ帝国) http://kogumaneko.tk/ • Consumer-oriented website (helpdesks, information, …) • Structured reports, parsing easy • Wan-CliZukan (ワンクリ図鑑) http://1zukan.269g.net/ • Vigilante blog dedicated to exposingOne Click Frauds • Structured reports, parsing easy • Collected 2,140 incident reports, dated March 6,2006-October 26, 2009 • No evidence of slander

  7. Data collection methodology • Strip reports of following attributes and store into mysql database • URL • Bank account ID • Bank account name* • Bank branch name • Bank name • Phone number • DNS information • Registrar info • DNS-reverse DNS lookup • “Required” fee • Many incomplete/ambiguous records, frequent overlap between different incidents Genuine attributes* [2ch Example] *Bank Account owner’s name can be falsified but account is genuine (not false)

  8. Two-dimensional analysis 1. Look for patterns across frauds in: Bank accounts used Phonenumbers used DNS information (registrars, name servers)

  9. Two-dimensional analysis 2. Draw correlations to link several frauds to same perpetrators Bank accounts used Common bank account! Website 1 Phonenumbers used Website 2 DNS information (registrars, name servers)

  10. Phone numbers used Fraudsters’ phone numbers • Can identify phone numbers in 516 distinct incidents • “au (by KDDI)” may have lax restrictions for new contracts • Tokyo ’03-***’ numbers may be numbers using transfer services

  11. Bank accounts used • Can identify banks in 803 distinct incidents • No “smoking gun” here • Internet banks make it easier to create bank accounts since there is no physical interaction • More prone to abuse Bank accounts used in frauds

  12. DNS registrars Fraudulent websites’ registrars • Can identify registrar in 389 distinct incidents • Evidence of a bias • Is this due to lack of enforcement? • Questionable subcontracting? (Resellers)

  13. DNS resellers/Web hosting services • Fraudsters’ choice of DNS Reseller can be defined by grouping Name Servers • Identified in 97 incidents • Very often also offer web hosting services • Maido3.com is reseller of TuCows Inc • Value-Domain.com is reseller of Enom Inc • DreamHost.com is reseller/branch of New Dream Network LLC Number of websites hosted

  14. Bank Accounts Phone Numbers DNS Registrars and Resellers Intermediate summary 1. Look for patterns across frauds in: • Cellphones, Telephones • “au (KDDI)” brand cellphones may have lax contracting restrictions • Tokyo “03-**” number probably due to phone number transfer services • Bank accounts • No “smoking gun” • Internet banks are seemingly easier to abuse • DNS Registrars and Resellers • Biased to specific DNS vendors • DNS vendor resellers can be found by registered Name Server

  15. Linking different frauds to same groups URL AccountID Phone number

  16. Additional clustering • A family of scams actually contain some malware (in the form of downloadable “video”) • Trojan in .exe format • Collects email addresses in Outlook Express and Becky! • Sends information back to “hachimitsu-lemon.com” server • Has been taken down for a while • Information used to blackmail to victims notifying them they “owe” registration fees • Recently seen on Oct 26th, 2009 • “Relatively” harmless • Hypothesis: same criminal organization? • Correlated by identical “Technical Contact Phone Number” in WHOIS information(+81-6-6241-6585)

  17. Organized criminal groups Basic clustering • Identified (at most) 105 organized criminal groups • On average, each group • maintains 3.7 websites • 5.2 bank accounts • 1.3 phone numbers • A few “syndicates” seem responsible for most of the frauds + WHOIS 50% of all scams Seems to follow Zipf’s law (high concentration, long tail) 8 groups

  18. Do they also spam? • Checked multiple DNS blacklists for a subset of our results • 842 domain tested • 275unique IP addresses No significant evidence of spamming, except for “parked” domains  seems to substantiate the “lenient reseller” hypothesis

  19. Economic incentives of fraudstersPart 1: Facilities + Webhosting costs • Hardware/connection • EeePC (900X): 28,000yen • Yahoo!BB (ADSL 8M): 3,904 yen/month • Rental Servers • Maido3.com (Starter Pack) • Domain Registration fee : FREE • Server Setup fee: 3,675 yen • Payment/month 7,350 yen/month • Running website for a year ≤ 166,873 yen

  20. Economic incentives of fraudstersPart 2: Cost of Bank Account/Books/Legal Stamps • Illegally purchased (includes legal stamp): 30,000-50,000 yen • Mail order banks, internet banks are easier to create due to lack of physical interaction • Forged bank account names can be easily made sincephonetic reading only is required when wiring money • Fraudulent bank account for a year ≤ 50,000 yen (白石光子) 白井市蜜粉 シライシミツコ “Shirai City Mitsuko” Submitted at applicationas name for ‘PTA BakingClub of Shirai City’ カタカナ(Katakana) of theaccount nameis shown as only “Shi-Ra-I-Shi-Mi-Tsu-Ko” “Shi-Ra-I-Shi-Mi-Tsu-Ko” can be easily misconceived as a woman’s name, “Shiraishi Mitsuko” Forged signed paper is sufficient

  21. Economic incentives of fraudstersPart 3: Cost of Cellphones/Landline Telephones • Cellphones can be illegallypurchased: approx 35,000 yen • Non traceable if payment (7,685yen/month) is done atconvenience stores or prepaidinstead of bank drafts • Telephones such as popular”Tokyo 03” can be easilytransferred to other numbers to evade traceability: 840 yen/monthe.g. Symphonet Services Co. • Untraceable phone for a year ≤ 137,300 yen

  22. Economic incentives of miscreantsPart 4: Income per “customer” • Registration fees are primarilybetween 45,000 and 50,000 yen (USD $500) • Matches average Japanese businessmen monthly allowance* (45,600 yen)! Fraud amount (top 10 most common) *In Japan, usually the wife does the household accounting and provides the husband with an allowance to cover food, etc

  23. Economic incentives of miscreantsPart 5: Average cost/benefit analysis • Assuming, on average, 3.7 websites, 5.2 bank accounts, and 1.3 phone lines (based on our analysis), an average fraudster breaks evenas soon as approx. 4 users/site operated (about 16 people total) fall for the fraud within a year • … obviously some people make a lot more money

  24. Economic incentives of fraudstersPart 6: Worst-case scenario • Analysis from police reports • People who got caught, the really reckless guys • Income: 9,094,089 yen / case / year • **2.6bil yen / 2,859cases = 9,094,089 yen/case • 4.4 frauds/organization on average • **2,859 cases / 657 persons = 4.351 cases/ person • Very close to our findings (3.6 websites operated by each organization/person on average) • Organization’s income: 39,397,475 yen • (9,094,089 * 4.4) – 616,517 = 39,397,475 yen (about $400K!) Important caveat: includes One Click Fraud and related confidence scams (e.g., Ore Ore). Very strong assumption (hinted by police): all scams are roughly in the same ballpark

  25. Police arrest reports disclosed to media showcriminals can earn extremely large amounts of money in roughly 1-2 years Economic validation: actual arrests

  26. Legal remedies or lack thereof • Hard to prosecute • Victim must make complaint but rarely do so (embarrassment factor) • Hard to show a crime: “Glorified panhandling” • Low penalty • Fraudsters can be sentenced up to 10 years but generally less than 5 years • Relatively hard to identify • DNS servers are overseas, difficult to obtain actual registrant information • Telephone numbers use transferring service • Barring possession of an arrest warrant, police cannot obtain contact and network information

  27. Conclusion • What makes One Click Fraud appealing? • Miscreants can readily exploit infrastructure vulnerabilities • Lax cellphone registration practices • Forwarding services • Registrars turning a blind eye • Economically beneficial since low investment and high income • Legal penalties are extremely low and not effective to curb crimes • Who is committing these crimes? • A few miscreants seem to control a majority of the fraudulent sites • Relatively low technological sophistication, although usage of(relatively simple) malware observed • Not much evidence of connections to other types of frauds, but deserves to be more fully investigated

  28. Possible ways forward • One Click Fraud must be primarily addressed by non-technological means • Economic balance tipping far too much in favor of fraudsters • Policy • DNS Blacklist or pressure DNS resellers (ICANN) • Strengthen control over exploitable banks, cellphone contracts, etc • Law • Increase legal actions for traceability of phone numbers • Impose higher legal penalties? • Prison, but more importantly fines will increase expected attacker costs • Technology • Increase IT literacy to avoid people panicking when faced with such threats • Decrease the pool of potential victims • Similarities with scareware?

  29. Thank you! Nicolas Christin, Sally S. Yanagihara, and Keisuke Kamataki “Dissecting One Click Frauds” CyLab Technical Report CMU-CyLab-10-011. http://www.andrew.cmu.edu/user/nicolasc/papers.html Email: nicolasc@cmu.edu

  30. Registration Fee vs Time • Registration fees concentrate at 50,000 yen • Time and Japanese economic conditions do not seem to affect price

  31. Malware: HTA Module • .hta format tool that persistently show “Please Pay Registration Fee” window • Persistently show window even if ‘x’ is clicked and when PC is rebooted • Does not collect data • Cause of sudden increase of calls to police and IPA Help Desk in May, 2009 • First seen on April 7th, 2009 • Recently seen on Oct 12th, 2009 • Many anti-virus applications prevent .hta module downloads from July, 2009 • Groups could not be distinguished by collected attributes • Other analysis such as .hta module code comparison are required

More Related