320 likes | 429 Views
Nicolas Christin, CMU INI/ CyLab Sally S. Yanagihara , CMU INI/ CyLab Japan Keisuke Kamataki , CMU CS/LTI. Dissecting One Click Frauds. What is “One Click Fraud”?. Pervasive online fraud found in Japan since 2004 “as seen on TV!” Victim clicks on a (innocuous) HTML link
E N D
Nicolas Christin, CMU INI/CyLab Sally S. Yanagihara, CMU INI/CyLab Japan Keisuke Kamataki, CMU CS/LTI Dissecting One Click Frauds
What is “One Click Fraud”? • Pervasive online fraud found in Japan since 2004 • “as seen on TV!” • Victim clicks on a (innocuous) HTML link • email, website, or SMS variants • … only to be told they entered a binding contract… • … and are required to pay a nominal fee or “legal actions” would be taken • Japanese cousin of scareware scams One Click Contracts/Frauds, Wikipedia http://ja.wikipedia.org/wiki/ワンクリック詐欺
Why do victims pay? Fear of embarrassment, divorce, public shame, loss of job… Show IP address and a notice that “contact information has been recorded” Show victim sample of the billing statement that will be sent to the home (postcard with pornographic picture) One Click Frauds, http://support.zaq.ne.jp/security/oneclick5.html
Problem importance • Quite large monetary impact • Roughly 2.6 billion yen (~30 million US dollars) annually since 2004* • Victim’s private information and payment are shared within the underground community and exposes victims to more frauds** • Actual market size, damages, and number of victims are unknown due to embarrassment factor • Only 2,859 cases (657 arrests) are solved on average each year • Persistent plague over the 4 years we looked at (2006-2009) *Japan Police Force Annual Report 2004-2009**http://journal.mycom.co.jp/articles/2009/04/24/adultsite1/index.html
Research questions • What makes One Click Fraud easy to perpetrate? • What vulnerabilities do we have in our infrastructure? • How are criminals exploiting those vulnerabilities? • Who is committing these crimes? • “Random crooks”, or… • … is there evidence of any organized criminal activity? • Do they operate in groups? • Can they be linked to other forms of online crime? • How should we address this problem? • Technological vs. economical vs. legal remedies
Collecting instances of One Click Frauds • Source of data: “vigilante” websites posting information about frauds • 2 Channel (2ちゃんねる 掲示板) http://society6.2ch.net/test/read.cgi/police/1215642976 • Japan’s largest BBS • We focus on the ‘One Click Fraud’ posts • Potential difficulty: posts made using natural language, lots of noise, potentially hard to parse automatically • Koguma-neko Teikoku (こぐまねこ帝国) http://kogumaneko.tk/ • Consumer-oriented website (helpdesks, information, …) • Structured reports, parsing easy • Wan-CliZukan (ワンクリ図鑑) http://1zukan.269g.net/ • Vigilante blog dedicated to exposingOne Click Frauds • Structured reports, parsing easy • Collected 2,140 incident reports, dated March 6,2006-October 26, 2009 • No evidence of slander
Data collection methodology • Strip reports of following attributes and store into mysql database • URL • Bank account ID • Bank account name* • Bank branch name • Bank name • Phone number • DNS information • Registrar info • DNS-reverse DNS lookup • “Required” fee • Many incomplete/ambiguous records, frequent overlap between different incidents Genuine attributes* [2ch Example] *Bank Account owner’s name can be falsified but account is genuine (not false)
Two-dimensional analysis 1. Look for patterns across frauds in: Bank accounts used Phonenumbers used DNS information (registrars, name servers)
Two-dimensional analysis 2. Draw correlations to link several frauds to same perpetrators Bank accounts used Common bank account! Website 1 Phonenumbers used Website 2 DNS information (registrars, name servers)
Phone numbers used Fraudsters’ phone numbers • Can identify phone numbers in 516 distinct incidents • “au (by KDDI)” may have lax restrictions for new contracts • Tokyo ’03-***’ numbers may be numbers using transfer services
Bank accounts used • Can identify banks in 803 distinct incidents • No “smoking gun” here • Internet banks make it easier to create bank accounts since there is no physical interaction • More prone to abuse Bank accounts used in frauds
DNS registrars Fraudulent websites’ registrars • Can identify registrar in 389 distinct incidents • Evidence of a bias • Is this due to lack of enforcement? • Questionable subcontracting? (Resellers)
DNS resellers/Web hosting services • Fraudsters’ choice of DNS Reseller can be defined by grouping Name Servers • Identified in 97 incidents • Very often also offer web hosting services • Maido3.com is reseller of TuCows Inc • Value-Domain.com is reseller of Enom Inc • DreamHost.com is reseller/branch of New Dream Network LLC Number of websites hosted
Bank Accounts Phone Numbers DNS Registrars and Resellers Intermediate summary 1. Look for patterns across frauds in: • Cellphones, Telephones • “au (KDDI)” brand cellphones may have lax contracting restrictions • Tokyo “03-**” number probably due to phone number transfer services • Bank accounts • No “smoking gun” • Internet banks are seemingly easier to abuse • DNS Registrars and Resellers • Biased to specific DNS vendors • DNS vendor resellers can be found by registered Name Server
Linking different frauds to same groups URL AccountID Phone number
Additional clustering • A family of scams actually contain some malware (in the form of downloadable “video”) • Trojan in .exe format • Collects email addresses in Outlook Express and Becky! • Sends information back to “hachimitsu-lemon.com” server • Has been taken down for a while • Information used to blackmail to victims notifying them they “owe” registration fees • Recently seen on Oct 26th, 2009 • “Relatively” harmless • Hypothesis: same criminal organization? • Correlated by identical “Technical Contact Phone Number” in WHOIS information(+81-6-6241-6585)
Organized criminal groups Basic clustering • Identified (at most) 105 organized criminal groups • On average, each group • maintains 3.7 websites • 5.2 bank accounts • 1.3 phone numbers • A few “syndicates” seem responsible for most of the frauds + WHOIS 50% of all scams Seems to follow Zipf’s law (high concentration, long tail) 8 groups
Do they also spam? • Checked multiple DNS blacklists for a subset of our results • 842 domain tested • 275unique IP addresses No significant evidence of spamming, except for “parked” domains seems to substantiate the “lenient reseller” hypothesis
Economic incentives of fraudstersPart 1: Facilities + Webhosting costs • Hardware/connection • EeePC (900X): 28,000yen • Yahoo!BB (ADSL 8M): 3,904 yen/month • Rental Servers • Maido3.com (Starter Pack) • Domain Registration fee : FREE • Server Setup fee: 3,675 yen • Payment/month 7,350 yen/month • Running website for a year ≤ 166,873 yen
Economic incentives of fraudstersPart 2: Cost of Bank Account/Books/Legal Stamps • Illegally purchased (includes legal stamp): 30,000-50,000 yen • Mail order banks, internet banks are easier to create due to lack of physical interaction • Forged bank account names can be easily made sincephonetic reading only is required when wiring money • Fraudulent bank account for a year ≤ 50,000 yen (白石光子) 白井市蜜粉 シライシミツコ “Shirai City Mitsuko” Submitted at applicationas name for ‘PTA BakingClub of Shirai City’ カタカナ(Katakana) of theaccount nameis shown as only “Shi-Ra-I-Shi-Mi-Tsu-Ko” “Shi-Ra-I-Shi-Mi-Tsu-Ko” can be easily misconceived as a woman’s name, “Shiraishi Mitsuko” Forged signed paper is sufficient
Economic incentives of fraudstersPart 3: Cost of Cellphones/Landline Telephones • Cellphones can be illegallypurchased: approx 35,000 yen • Non traceable if payment (7,685yen/month) is done atconvenience stores or prepaidinstead of bank drafts • Telephones such as popular”Tokyo 03” can be easilytransferred to other numbers to evade traceability: 840 yen/monthe.g. Symphonet Services Co. • Untraceable phone for a year ≤ 137,300 yen
Economic incentives of miscreantsPart 4: Income per “customer” • Registration fees are primarilybetween 45,000 and 50,000 yen (USD $500) • Matches average Japanese businessmen monthly allowance* (45,600 yen)! Fraud amount (top 10 most common) *In Japan, usually the wife does the household accounting and provides the husband with an allowance to cover food, etc
Economic incentives of miscreantsPart 5: Average cost/benefit analysis • Assuming, on average, 3.7 websites, 5.2 bank accounts, and 1.3 phone lines (based on our analysis), an average fraudster breaks evenas soon as approx. 4 users/site operated (about 16 people total) fall for the fraud within a year • … obviously some people make a lot more money
Economic incentives of fraudstersPart 6: Worst-case scenario • Analysis from police reports • People who got caught, the really reckless guys • Income: 9,094,089 yen / case / year • **2.6bil yen / 2,859cases = 9,094,089 yen/case • 4.4 frauds/organization on average • **2,859 cases / 657 persons = 4.351 cases/ person • Very close to our findings (3.6 websites operated by each organization/person on average) • Organization’s income: 39,397,475 yen • (9,094,089 * 4.4) – 616,517 = 39,397,475 yen (about $400K!) Important caveat: includes One Click Fraud and related confidence scams (e.g., Ore Ore). Very strong assumption (hinted by police): all scams are roughly in the same ballpark
Police arrest reports disclosed to media showcriminals can earn extremely large amounts of money in roughly 1-2 years Economic validation: actual arrests
Legal remedies or lack thereof • Hard to prosecute • Victim must make complaint but rarely do so (embarrassment factor) • Hard to show a crime: “Glorified panhandling” • Low penalty • Fraudsters can be sentenced up to 10 years but generally less than 5 years • Relatively hard to identify • DNS servers are overseas, difficult to obtain actual registrant information • Telephone numbers use transferring service • Barring possession of an arrest warrant, police cannot obtain contact and network information
Conclusion • What makes One Click Fraud appealing? • Miscreants can readily exploit infrastructure vulnerabilities • Lax cellphone registration practices • Forwarding services • Registrars turning a blind eye • Economically beneficial since low investment and high income • Legal penalties are extremely low and not effective to curb crimes • Who is committing these crimes? • A few miscreants seem to control a majority of the fraudulent sites • Relatively low technological sophistication, although usage of(relatively simple) malware observed • Not much evidence of connections to other types of frauds, but deserves to be more fully investigated
Possible ways forward • One Click Fraud must be primarily addressed by non-technological means • Economic balance tipping far too much in favor of fraudsters • Policy • DNS Blacklist or pressure DNS resellers (ICANN) • Strengthen control over exploitable banks, cellphone contracts, etc • Law • Increase legal actions for traceability of phone numbers • Impose higher legal penalties? • Prison, but more importantly fines will increase expected attacker costs • Technology • Increase IT literacy to avoid people panicking when faced with such threats • Decrease the pool of potential victims • Similarities with scareware?
Thank you! Nicolas Christin, Sally S. Yanagihara, and Keisuke Kamataki “Dissecting One Click Frauds” CyLab Technical Report CMU-CyLab-10-011. http://www.andrew.cmu.edu/user/nicolasc/papers.html Email: nicolasc@cmu.edu
Registration Fee vs Time • Registration fees concentrate at 50,000 yen • Time and Japanese economic conditions do not seem to affect price
Malware: HTA Module • .hta format tool that persistently show “Please Pay Registration Fee” window • Persistently show window even if ‘x’ is clicked and when PC is rebooted • Does not collect data • Cause of sudden increase of calls to police and IPA Help Desk in May, 2009 • First seen on April 7th, 2009 • Recently seen on Oct 12th, 2009 • Many anti-virus applications prevent .hta module downloads from July, 2009 • Groups could not be distinguished by collected attributes • Other analysis such as .hta module code comparison are required