Presentation Transcript

1. Nicolas Christin, CMU INI/CyLab Sally S. Yanagihara, CMU INI/CyLab Keisuke Kamataki, CMU CS/LTI

   Dissecting One Click Frauds

2. What is “One Click Fraud”? Pervasive online fraud found in Japan since 2004 Victim clicks on a (innocuous) HTML link email, website, or SMS variants … only to be told they entered a binding contract… … and are required to pay a nominal fee or “legal actions” would be taken One Click Contracts/Frauds, Wikipedia http://ja.wikipedia.org/wiki/ワンクリック詐欺
3. Why do victims pay? Fear of loss of reputation! Show IP address and a notice that “contact information has been recorded” Show victim sample of the billing statement that will be sent to the home (postcard with pornographic picture) One Click Frauds, http://support.zaq.ne.jp/security/oneclick5.html
4. Problem importance Quite large monetary impact Roughly 2.6 billion yen (~30 million US dollars) annually since 2004* Disclosure of victim’s private information and payment are leaked within the underground community and exposes victims to more frauds** Actual market size, damages, and number of victims are unknown due to embarrassment factor Only 2,859 cases (657 arrests) are solved each year *Japan Police Force Annual Report 2004-2009**http://journal.mycom.co.jp/articles/2009/04/24/adultsite1/index.html
5. A persisting plague Filed incidents to police show rise since emergence in 2004 IPA Helpdesk shows record high for “One Click Fraud” Although shown effective in 2007, police efforts and mandated laws are not applicable measures for fraud prevention today Japan Police Force Annual Report 2004-2009
6. Research questions What makes One Click Fraud easy to perpetrate? What vulnerabilities do we have in our infrastructure? How are criminals exploiting those vulnerabilities? Who is committing these crimes? “Random crooks”, or… … is there evidence of any organized criminal activity? Do they operate in groups? Can they be linked to other forms of online crime? How should we address this problem? Technological vs. economical vs. legal remedies
7. Collecting instances of One Click Frauds Source of data: “vigilante” websites posting information about frauds 2 Channel (２ちゃんねる 掲示板) http://society6.2ch.net/test/read.cgi/police/1215642976 Japan’s largest BBS provides information on multiple topics We focus on the ‘One Click Fraud’ posts Potential difficulty: posts made using natural language, lots of noise, potentially hard to parse automatically Koguma-neko Teikoku (こぐまねこ帝国) http://kogumaneko.tk/ Privately owned website providing consumer information and Internet-related helpdesks Structured reports, parsing easy Wan-CliZukan (ワンクリ図鑑) http://zukan.269g.net/ Privately owned website posting specifically One Click Fraud websites Structured reports, parsing easy
8. Data collection methodology Strip reports of following attributes and store into mysql database URL Bank account ID Bank account name* Bank branch name Bank name Phone number DNS information Registrar info Double DNS-reverse DNS lookup Required amount Unforgeable Attributes* [2ch Example] *Bank Account owner’s name can be falsified but account is genuine (not false)
9. Two-dimensional analysis 1. Look for patterns across frauds in: Fraud amount Bank accounts used Phonenumbers used DNS information (registrars, name servers)
10. Two-dimensional analysis 2. Draw correlations to link several frauds to same perpetrators Fraud amount Bank accounts used Common bank account! Website 1 Phonenumbers used Website 2 DNS information (registrars, name servers)
11. Fraud Amount Registration fee are primarily at 50,000 yen (USD $500) Matches average Japanese businessmen monthly allowance* (45,600 yen)! Fraud amount (top 10 most common) *In Japan, usually the wife does the household accounting and provides the husband with an allowance to cover food, etc
12. Phone numbers used Fraudsters’ phone numbers “au (by KDDI)” may have lax restrictions for new contracts Tokyo ’03-***’ numbers may be numbers using transfer services
13. Bank accounts used No “smoking gun” here Internet banks make it easier to create bank accounts since there is no physical interaction More prone to abuse Bank accounts used in frauds
14. DNS registrars Fraudulent websites’ registrars Evidence of a bias Is this due to lack of enforcement? Questionable subcontracting? (Resellers)
15. DNS resellers/Web hosting services Fraudsters choice of DNS Reseller can be defined by grouping Name Servers Very often also offer web hosting services Maido3.com is reseller of TuCows Inc Value-Domain.com is reseller of Enom Inc DreamHost.com is reseller/branch of New Dream Network LLC
16. Registration Fee Bank Accounts Phone Numbers DNS Registrar Intermediate summary 1. Look for patterns across frauds in: Fraud amount Grouped at 50,000yen Not affected by time or by the Japanese economy conditions Cellphones, Telephones “au (KDDI)” brand cellphones may have lax contracting restrictions Tokyo “03-**” number probably due to phone number transfer services Bank accounts No “smoking gun” Internet banks are easier to create fraud accounts possibly due to no physical interaction DNS Registrars and web hosting services Biased to specific DNS vendors DNS vendor resellers can be found by registered Name Server
17. Linking different frauds to same groups URL AccountID Phone number
18. Organized criminal groups Identified (at most) 105 organized criminal groups On average, each group maintains 4.65 websites 6.65 bank accounts 2.01 phone numbers A few “syndicates” seem responsible for most of the frauds Number of maintained sites by group
19. “Trojan.HachiLem” Malware A family of scams actually contain some malware (in the form of downloadable “video”) Trojan in .exe format Collects email addresses in Outlook Express and Becky! Sends information back to “hachimitsu-lemon.com” server Has been taken down for a while Information used to blackmail to victims notifying them they “owe” registration fees Recently seen on Oct 26th, 2009 “Relatively” harmless Hypothesis: same criminal organization? Correlated by identical “Technical Contact Phone Number” in WHOIS information(+81-6-6241-6585)
20. Do they also spam? Checked multiple DNS blacklists for a subset of our results 380 domain tested 247 still resolved 134 unique IP addresses Other DB tested: spamcop, njabl, manitu, … (0 hits) Some spamming but not pervasive Mostly coming from parked domains Spam is in Japanese and is not well reported to these DB ops?
21. Economic incentives of fraudstersPart 1: Equipment costs Facilities EeePC (900X): 28,000yen Yahoo!BB (ADSL 8M): 3,379 yen/month Rental Servers Maido3.com (Starter Pack) Domain Registration fee : FREE Server Setup fee: 3,675 yen Advanced payment (3months): 7,350 * 3 = 22,050 yen DNS Registration OpenDNS Registration fee: FREE Subtotal: 160,423 yen
22. Economic incentives of fraudstersPart 2: Cost of Bank Account/Books/Legal Stamps Illegally purchased (includes legal stamp): 30,000-50,000 yen Mail order banks, internet banks are easier to create due to lack of physical interaction Forged bank account names can be easily made sincekatakanareading only is required when wiring money Subtotal: 40,000 yen （白石光子） 白井市蜜粉 シライシミツコ “Shirai City Mitsuko” Submitted at applicationas name for ‘PTA BakingClub of Shirai City’ カタカナ(Katakana) of theaccount nameis shown as only “Shi-Ra-I-Shi-Mi-Tsu-Ko” “Shi-Ra-I-Shi-Mi-Tsu-Ko” can be easily misconceived as a woman’s name, “Shiraishi Mitsuko” Forged signed paper is sufficient
23. Economic incentives of fraudstersPart 3: Cost of Cellphones/Landline Telephones Cellphones can be illegallypurchased: approx 35,000 yen Non traceable if payment (7,685yen/month) is done atconvenience stores or prepaidinstead of bank drafts Telephones such as popular”Tokyo 03” can be easilytransferred to other numbers toevade traceability: 840 yen/monthe.g. Symphonet Services Co. Sub TOTAL: 137,300 yen/year
24. Economic incentives of fraudstersPart 4: Average cost/benefit analysis Initial Investments: 616,517 yen on average (based on our measurements) Initial Facilities: 160,423 yen *Bank Accounts: 40,000 yen x 5.97 = 238,800 yen *Cellphones/Telephones: 137,300 yen x 1.58 = 216,934 yen Income: 9,094,089 yen / case / year **2.6bil yen / 2,859cases = 9,094,089 yen/case 4.4 frauds/organization on average **2,859 cases / 657 persons = 4.351 cases/ person Very close to our findings (3.6 websites operated by each organization/person on average) Organization’s income: 39,397,475 yen (9,094,089 * 4.4) – 616,517 = 39,397,475 yen (about $400K!) Note: Somewhat pessimistic estimate – only takes into account frauds that were discovered, not all frauds Actual number likely to be lower… … yet very significant! *average numbers obtained from network analysis results**average from police reports of 2004-2008
25. Police arrest reports disclosed to media showcriminals can earn extremely large amounts of money in roughly 1-2 years Economic validation: actual arrests
26. Legal remedies or lack thereof Hard to prosecute Victim must make complaint but rarely do so (embarrassment factor) Low penalty Fraudsters can be sentenced up to10 years but generally less than 5 years Repeat offenders! Syndicates do it for the thrillso even if they finish their sentencethey have a high repeat rate Once popular ‘Ore-Ore’ syndicates have finishedtheir 3-4 year sentences this 2009 so large increasein the same Fraud has already been observed by Police Relatively hard to identify DNS servers are overseas, difficult to obtain actual registrant information Telephone numbers use transferring service Barring possession of an arrest warrant, police cannot obtain contact and network information
27. Conclusion What makes One Click Fraud appealing? Fraudsters can readily exploit infrastructure vulnerabilities Lax cellphone registration practices Forwarding services Registrars turning a blind eye Economically beneficial since low investment and high income Legal penalties are extremely low and not effective to curb crimes Who is committing these crimes? Repeat offenders (potential criminal organizations?) control a vast majority of the fraudulent sites Relatively low technological sophistication, although usage of(relatively simple) malware observed Not much evidence of connections to other types of frauds (except for spam), but deserves to be more fully investigated
28. Possible ways forward One Click Fraud must be primarily addressed by non-technological means Economic balance far too much in favor of fraudsters Policy Stop registration by use of DNS Blacklist or pressure DNS resellers Strengthen control over exploitable banks, cellphone contracts, etc Law Increase legal actions for traceability of phone numbers Impose higher legal penalties Prison, but more importantly fines will increase expected attacker costs Technology Increase IT literacy to avoid people panicking when faced with such threats
29. Thank you! Nicolas Christin, Sally S. Yanagihara, and Keisuke Kamataki “Dissecting One Click Frauds” CyLab Technical Report CMU-CyLab-10-011. http://www.andrew.cmu.edu/user/nicolasc/papers.html
30. Registration Fee vs Time Registration fees concentrate at 50,000 yen Time and Japanese economic conditions do not seem to affect price
31. Malware: HTA Module .hta format tool that persistently show “Please Pay Registration Fee” window Persistently show window even if ‘x’ is clicked and when PC is rebooted Does not collect data Cause of sudden increase of calls to police and IPA Help Desk in May, 2009 First seen on April 7th, 2009 Recently seen on Oct 12th, 2009 Many anti-virus applications prevent .hta module downloads from July, 2009 Groups could not be distinguished by collected attributes Other analysis such as .hta module code comparison are required