Embed Size (px)
Citation preview
Dissecting One Click Frauds
Nicolas Christin, CMU INI/CyLabSally S. Yanagihara, CMU INI/CyLab JapanKeisuke Kamataki, CMU CS/LTI
TRUST Autumn 2010 Conference – November 2010, Stanford, CA
What is “One Click Fraud”? Pervasive online fraud
found in Japan since 2004 “as seen on TV!”
Japanese cousin of scareware scams
Victim clicks on a (innocuous) HTML link email, website, or SMS
variants … only to be told they
entered a binding contract…
… and are required to pay a nominal fee or “legal action” will be taken
One Click Contracts/Frauds, Wikipedia http://ja.wikipedia.org/wiki/ ワンクリック詐欺
Why do victims pay?
One Click Frauds, http://support.zaq.ne.jp/security/oneclick5.html
Show IP address and a notice that “contact information has been recorded”
Show victim sample of the billing statement that will be sent to the home (postcard with pornographic picture)
Fear of embarrassment, divorce, public shame, loss of job…
Research questions
What makes One Click Fraud easy to perpetrate? What vulnerabilities do we have in our infrastructure? How are criminals exploiting those vulnerabilities?
Who is committing these crimes? “Random crooks”, or… … is there evidence of any organized criminal
activity?▪ Do they operate in groups?▪ Can they be linked to other forms of online crime?
How should we address this problem?▪ Technological vs. economical vs. legal remedies
Collecting instances of One Click Frauds
Source of data: “vigilante” websites posting information about frauds
2 Channel ( 2ちゃんねる 掲示板 ) http://society6.2ch.net/test/read.cgi/police/1215642976 Japan’s largest BBS We focus on the ‘One Click Fraud’ posts Potential difficulty: posts made using natural language, lots of noise,
potentially hard to parse automatically Koguma-neko Teikoku ( こぐまねこ帝国 ) http://kogumaneko.tk/
Consumer-oriented website (helpdesks, information, …) Structured reports, parsing easy
Wan-Cli Zukan ( ワンクリ図鑑 ) http://1zukan.269g.net/ Vigilante blog dedicated to exposing One Click Frauds Structured reports, parsing easy
Collected 2,140 incident reports, dated March 6,2006-October 26, 2009 No evidence of slander
Data collection methodology
Strip reports of following attributes and store into mysql database URL Bank account number Bank account name* Bank branch name Bank name Phone number DNS information
▪ Registrar info (WHOIS)▪ DNS-reverse DNS lookup
“Required” fee
Many incomplete/ambiguous records, frequent overlap between different incidents
Genuineattributes*
[2ch Example]*Bank Account owner’s name can be falsified but account is genuine (not false)
Infrastructure vulnerabilities
Cellphones, Telephones Some cellphone providers may
have more lax contracting restrictions
Tokyo “03-**” number probably due to phone number transfer services
Bank accounts No “smoking gun” Internet banks are seemingly
easier to abuse DNS Registrars and Resellers
Biased toward specific resellers Some resellers have lax policies
DNS Registrars and Resellers
Phone Numbers
Bank Accounts
1. Look for patterns across frauds in:
Correlation analysis
DNS information (registrars, name servers)
Phone numbers used
Bank accounts used
2. Draw correlations to link several frauds to same perpetrators
Website 1
Website 2
Common bank
account!
Linking different frauds to same groups
Phone number
Account #
URL
Organized criminal groups
Identified (at most) 105 organized criminal groups On average, each group
maintains 3.7 websites 5.2 bank accounts 1.3 phone numbers
A few “syndicates” seem responsible for most of the frauds
8 groups
50% of all scams
Basic clustering
+ WHOISinfo
Seems to follow Zipf’s law(high concentration, long tail)
Specialized crime?
Checked multiple DNS blacklists for a subset of our results 842 domain tested 275 unique IP addresses
cbl.abusat.org Open proxies, spamware
2.55%
dnsbl.sorbs.net Spam 8%
zen.spamhaus.org Combined DB 8.36%
L2.apews.org Spam or spam-friendly
32.73%
bl.spamcop.net Spam 1.45%
aspews.ext.sorbs.net Spam 4%
ix.dnsbl.manitu.net Spam 1.45%Google Safe Browsing (URLs)
Phish, Malware 0%
Google Safe Browsing (IPs)
Phish, Malware 16%
No significant evidence of spamming, except for “parked” domains seems to
substantiate the “lenient reseller” hypothesis
Economic incentives of fraudstersPart 1: Facilities + Webhosting costs
Hardware/connection EeePC (900X): 28,000yen Yahoo!BB (ADSL 8M): 3,904 yen/month
Rental Servers Maido3.com (Starter Pack)
▪ Domain Registration fee : FREE▪ Server Setup fee: 3,675 yen▪ Payment/month 7,350 yen/month
Running website for a year ≤ 166,873 yen
Economic incentives of fraudstersPart 2: Cost of Bank Account/Books/Legal Stamps
Illegally purchased (includes legal stamp): 30,000-50,000 yen Mail order banks, internet banks are easier to create due to
lack of physical interaction Forged bank account names can be easily made since
phonetic reading only is required when wiring money Fraudulent bank account for a year ≤ 50,000 yen
白井市蜜粉
“Shirai City Mitsuko”Submitted at applicationas name for ‘PTA BakingClub of Shirai City’
シライシミツコ (白石光子)
“Shi-Ra-I-Shi-Mi-Tsu-Ko” can be easily misconceived as a woman’s name,“Shiraishi Mitsuko”
カタカナ (Katakana) of theaccount nameis shown as only“Shi-Ra-I-Shi-Mi-Tsu-Ko”
Forged signed paper is sufficient
Economic incentives of fraudstersPart 3: Cost of Cellphones/Landline Telephones
Cellphones can be illegallypurchased: approx 35,000 yen
Non traceable if payment (7,685yen/month) is done atconvenience stores or prepaidinstead of bank drafts
Telephones such as popular”Tokyo 03” can be easilytransferred to other numbers to evade traceability: 840 yen/monthe.g. Symphonet Services Co.
Untraceable phone for a year ≤ 137,300 yen
Economic incentives of miscreantsPart 4: Average cost/benefit analysis
Assuming, on average, 3.7 websites, 5.2 bank accounts, and 1.3 phone lines (based on our analysis), an average fraudster breaks even as soon as approx. 4 users/site operated (about 16 people total) fall for the fraud within a year
… obviously some people make a lot more money (And a large number probably make a lot less as
well)
Economic incentives of fraudstersPart 5: Worst-case scenario
Analysis from police reports People who got caught, the really reckless guys Income: 9,094,089 yen / case / year **2.6bil yen / 2,859cases = 9,094,089 yen/case
4.4 frauds/organization on average **2,859 cases / 657 persons = 4.351 cases/ person Very close to our findings (3.6 websites operated by
each organization/person on average)
Organization’s income: 39,397,475 yen (9,094,089 * 4.4) – 616,517 = 39,397,475 yen (about
$400K!)Important caveat: includes One Click Fraud and related confidence scams (e.g., Ore Ore). Very strong assumption (hinted by police): all scams are roughly in the same ballpark
Economic validation: actual arrests
DATE PREFECTURE CRIMINAL ORGANIZATION
MONETARY DAMAGES(total, Yen)
VICTIMS(total)
References
2004/2-2005/04/13
Osaka Nakanishi5 other
600 Million 10,000+ http://blog.hitachi-net.jp/archives/18867382.html
2004/8-2005/11/08
Iwate Mori4 other
28 Million 450+ http://www.yomiuri.co.jp/net/news/20051108nt03.htm
2005/8-2007/03/04
Saitama Matsushita 50 Million 700+ http://blog.kogumaneko.tk/log/eid591.html
2006/7-2007/11/28
Chiba Ochiai6 other
300 Million 3,400+ http://www.yomiuri.co.jp/net/security/s-news/20071128nt0c.htm
2007/7-2008/8/16
Yamaguchi Nagaoka5 other(2 Groups)
240 Million 3500+ http://blog.kogumaneko.tk/log/eid1005.html
Police arrest reports disclosed to media show criminals can earn extremely large amounts of money in roughly 1-2 years
Legal remedies or lack thereof Hard to prosecute
Victim must make complaint but rarely do so (embarrassment factor)
Hard to show a crime: “Glorified panhandling”
Low penalty Fraudsters can be sentenced
up to 10 years but generally less than 5 years
Relatively hard to identify DNS servers are overseas, difficult to obtain actual registrant
information Telephone numbers use transferring service Barring possession of an arrest warrant, police cannot obtain
contact and network information
Cases Arrest Sentence Fine (yen)
Osaka 4/2005 2.5 yrs 2,000,000
Kyoto 7/2005 2.5 yrs 300,000
Nara 7/2005 2 yrs 1,000,000
Lawyer Sakurai
1/2006 0 yrs 300,000
Conclusion
What makes One Click Fraud appealing? Miscreants can readily exploit infrastructure vulnerabilities
▪ Forwarding services▪ Registrars turning a blind eye
Economically beneficial since low investment and high income Legal penalties are extremely low and not effective to curb
crimes
Who is committing these crimes? A few miscreants seem to control a majority of the fraudulent
sites Relatively low technological sophistication, although usage of
(fairly simple) malware observed Not much evidence of connections to other types of frauds, but
deserves to be more fully investigated
Possible ways forward
One Click Fraud must be primarily addressed by non-technological means Economic balance tipping far too much in favor of fraudsters
Policy DNS Blacklist or pressure DNS resellers (ICANN) Strengthen control over exploitable banks, cellphone contracts, etc
Law Increase legal actions for traceability of phone numbers Impose higher legal penalties?
▪ Prison, but more importantly fines will increase expected attacker costs
Technology Increase IT literacy to avoid people panicking when faced with such threats Decrease the pool of potential victims
Similarities with scareware?
Thank you!Nicolas Christin, Sally S. Yanagihara, and Keisuke Kamataki“Dissecting One Click Frauds” Proc. ACM CCS 2010, Chicago, IL, Oct. 4-8 2010http://www.andrew.cmu.edu/user/nicolasc/papers.html Email: [email protected]
Syndicate's Registration Fee (Top 10)
54 46
10998
283
6647
92
119142
0
50
100
150
200
250
300
5,00
0
35,0
00
40,0
00
45,0
00
50,0
00
55,0
00
60,0
00
80,0
00
90,0
00
100,
000
Amount of Money (Yen)
We
bs
ite
Co
un
t
Economic incentives of miscreantsPart 4: Income per “customer” Registration fees
are primarily between 45,000 and 50,000 yen (USD $500)
Matches average Japanese businessmen monthly allowance* (45,600 yen)!*In Japan, usually the wife does the household
accounting and provides the husband with an allowance to cover food, etc
Fraud amount (top 10 most common)
