1 / 23

Dissecting One Click Frauds

Nicolas Christin, CMU INI/ CyLab Sally S. Yanagihara , CMU INI/ CyLab Japan Keisuke Kamataki , CMU CS/LTI. Dissecting One Click Frauds. TRUST Autumn 2010 Conference – November 2010, Stanford, CA. What is “One Click Fraud”?. Pervasive online fraud found in Japan since 2004

neila
Download Presentation

Dissecting One Click Frauds

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Nicolas Christin, CMU INI/CyLab Sally S. Yanagihara, CMU INI/CyLab Japan Keisuke Kamataki, CMU CS/LTI Dissecting One Click Frauds TRUST Autumn 2010 Conference – November 2010, Stanford, CA

  2. What is “One Click Fraud”? • Pervasive online fraud found in Japan since 2004 • “as seen on TV!” • Japanese cousin of scareware scams • Victim clicks on a (innocuous) HTML link • email, website, or SMS variants • … only to be told they entered a binding contract… • … and are required to pay a nominal fee or “legal action” will be taken One Click Contracts/Frauds, Wikipedia http://ja.wikipedia.org/wiki/ワンクリック詐欺

  3. Why do victims pay? Fear of embarrassment, divorce, public shame, loss of job… Show IP address and a notice that “contact information has been recorded” Show victim sample of the billing statement that will be sent to the home (postcard with pornographic picture) One Click Frauds, http://support.zaq.ne.jp/security/oneclick5.html

  4. Research questions • What makes One Click Fraud easy to perpetrate? • What vulnerabilities do we have in our infrastructure? • How are criminals exploiting those vulnerabilities? • Who is committing these crimes? • “Random crooks”, or… • … is there evidence of any organized criminal activity? • Do they operate in groups? • Can they be linked to other forms of online crime? • How should we address this problem? • Technological vs. economical vs. legal remedies

  5. Collecting instances of One Click Frauds • Source of data: “vigilante” websites posting information about frauds • 2 Channel (2ちゃんねる 掲示板) http://society6.2ch.net/test/read.cgi/police/1215642976 • Japan’s largest BBS • We focus on the ‘One Click Fraud’ posts • Potential difficulty: posts made using natural language, lots of noise, potentially hard to parse automatically • Koguma-neko Teikoku (こぐまねこ帝国) http://kogumaneko.tk/ • Consumer-oriented website (helpdesks, information, …) • Structured reports, parsing easy • Wan-CliZukan (ワンクリ図鑑) http://1zukan.269g.net/ • Vigilante blog dedicated to exposing One Click Frauds • Structured reports, parsing easy • Collected 2,140 incident reports, dated March 6,2006-October 26, 2009 • No evidence of slander

  6. Data collection methodology • Strip reports of following attributes and store into mysql database • URL • Bank account number • Bank account name* • Bank branch name • Bank name • Phone number • DNS information • Registrar info (WHOIS) • DNS-reverse DNS lookup • “Required” fee • Many incomplete/ambiguous records, frequent overlap between different incidents Genuine attributes* [2ch Example] *Bank Account owner’s name can be falsified but account is genuine (not false)

  7. Bank Accounts Phone Numbers DNS Registrars and Resellers Infrastructure vulnerabilities 1. Look for patterns across frauds in: • Cellphones, Telephones • Some cellphone providers may have more lax contracting restrictions • Tokyo “03-**” number probably due to phone number transfer services • Bank accounts • No “smoking gun” • Internet banks are seemingly easier to abuse • DNS Registrars and Resellers • Biased toward specific resellers • Some resellers have lax policies

  8. Correlation analysis 2. Draw correlations to link several frauds to same perpetrators Bank accounts used Common bank account! Website 1 Phonenumbers used Website 2 DNS information (registrars, name servers)

  9. Linking different frauds to same groups URL Account # Phone number

  10. Organized criminal groups Basic clustering • Identified (at most) 105 organized criminal groups • On average, each group • maintains 3.7 websites • 5.2 bank accounts • 1.3 phone numbers • A few “syndicates” seem responsible for most of the frauds + WHOIS info 50% of all scams Seems to follow Zipf’s law (high concentration, long tail) 8 groups

  11. Specialized crime? • Checked multiple DNS blacklists for a subset of our results • 842 domain tested • 275 unique IP addresses No significant evidence of spamming, except for “parked” domains  seems to substantiate the “lenient reseller” hypothesis

  12. Economic incentives of fraudstersPart 1: Facilities + Webhosting costs • Hardware/connection • EeePC (900X): 28,000yen • Yahoo!BB (ADSL 8M): 3,904 yen/month • Rental Servers • Maido3.com (Starter Pack) • Domain Registration fee : FREE • Server Setup fee: 3,675 yen • Payment/month 7,350 yen/month • Running website for a year ≤ 166,873 yen

  13. Economic incentives of fraudstersPart 2: Cost of Bank Account/Books/Legal Stamps • Illegally purchased (includes legal stamp): 30,000-50,000 yen • Mail order banks, internet banks are easier to create due to lack of physical interaction • Forged bank account names can be easily made sincephonetic reading only is required when wiring money • Fraudulent bank account for a year ≤ 50,000 yen (白石光子) 白井市蜜粉 シライシミツコ “Shirai City Mitsuko” Submitted at applicationas name for ‘PTA BakingClub of Shirai City’ カタカナ(Katakana) of theaccount nameis shown as only “Shi-Ra-I-Shi-Mi-Tsu-Ko” “Shi-Ra-I-Shi-Mi-Tsu-Ko” can be easily misconceived as a woman’s name, “Shiraishi Mitsuko” Forged signed paper is sufficient

  14. Economic incentives of fraudstersPart 3: Cost of Cellphones/Landline Telephones • Cellphones can be illegallypurchased: approx 35,000 yen • Non traceable if payment (7,685yen/month) is done atconvenience stores or prepaidinstead of bank drafts • Telephones such as popular”Tokyo 03” can be easilytransferred to other numbers to evade traceability: 840 yen/monthe.g. Symphonet Services Co. • Untraceable phone for a year ≤ 137,300 yen

  15. Economic incentives of miscreantsPart 4: Average cost/benefit analysis • Assuming, on average, 3.7 websites, 5.2 bank accounts, and 1.3 phone lines (based on our analysis), an average fraudster breaks evenas soon as approx. 4 users/site operated (about 16 people total) fall for the fraud within a year • … obviously some people make a lot more money • (And a large number probably make a lot less as well)

  16. Economic incentives of fraudstersPart 5: Worst-case scenario • Analysis from police reports • People who got caught, the really reckless guys • Income: 9,094,089 yen / case / year • **2.6bil yen / 2,859cases = 9,094,089 yen/case • 4.4 frauds/organization on average • **2,859 cases / 657 persons = 4.351 cases/ person • Very close to our findings (3.6 websites operated by each organization/person on average) • Organization’s income: 39,397,475 yen • (9,094,089 * 4.4) – 616,517 = 39,397,475 yen (about $400K!) Important caveat: includes One Click Fraud and related confidence scams (e.g., Ore Ore). Very strong assumption (hinted by police): all scams are roughly in the same ballpark

  17. Police arrest reports disclosed to media showcriminals can earn extremely large amounts of money in roughly 1-2 years Economic validation: actual arrests

  18. Legal remedies or lack thereof • Hard to prosecute • Victim must make complaint but rarely do so (embarrassment factor) • Hard to show a crime: “Glorified panhandling” • Low penalty • Fraudsters can be sentenced up to 10 years but generally less than 5 years • Relatively hard to identify • DNS servers are overseas, difficult to obtain actual registrant information • Telephone numbers use transferring service • Barring possession of an arrest warrant, police cannot obtain contact and network information

  19. Conclusion • What makes One Click Fraud appealing? • Miscreants can readily exploit infrastructure vulnerabilities • Forwarding services • Registrars turning a blind eye • Economically beneficial since low investment and high income • Legal penalties are extremely low and not effective to curb crimes • Who is committing these crimes? • A few miscreants seem to control a majority of the fraudulent sites • Relatively low technological sophistication, although usage of (fairly simple) malware observed • Not much evidence of connections to other types of frauds, but deserves to be more fully investigated

  20. Possible ways forward • One Click Fraud must be primarily addressed by non-technological means • Economic balance tipping far too much in favor of fraudsters • Policy • DNS Blacklist or pressure DNS resellers (ICANN) • Strengthen control over exploitable banks, cellphone contracts, etc • Law • Increase legal actions for traceability of phone numbers • Impose higher legal penalties? • Prison, but more importantly fines will increase expected attacker costs • Technology • Increase IT literacy to avoid people panicking when faced with such threats • Decrease the pool of potential victims • Similarities with scareware?

  21. Thank you! Nicolas Christin, Sally S. Yanagihara, and Keisuke Kamataki “Dissecting One Click Frauds” Proc. ACM CCS 2010, Chicago, IL, Oct. 4-8 2010 http://www.andrew.cmu.edu/user/nicolasc/papers.html Email: nicolasc@cmu.edu

  22. Economic incentives of miscreantsPart 4: Income per “customer” • Registration fees are primarily between 45,000 and 50,000 yen (USD $500) • Matches average Japanese businessmen monthly allowance* (45,600 yen)! Fraud amount (top 10 most common) *In Japan, usually the wife does the household accounting and provides the husband with an allowance to cover food, etc

More Related