Dissecting One Click Frauds - Andrew.cmu.edu

5 downloads 0 Views 2MB Size Report
Feb 3, 2007 - Nicolas Christin. Carnegie Mellon ... expected monetary gains in return for very little risk. The quantita- .... Click Frauds. Moreover, our analysis methodology can be helpful to law en- ...... [3] Manual on how to live anonymously.
Dissecting One Click Frauds∗ Nicolas Christin

Sally S. Yanagihara

Keisuke Kamataki

Carnegie Mellon INI/CyLab

Carnegie Mellon INI

Carnegie Mellon LTI/CS

[email protected]

[email protected]

[email protected]

ABSTRACT

1.

“One Click Fraud” is an online confidence scam that has been plaguing an increasing number of Japanese Internet users, in spite of new laws and the mobilization of police task forces. In this scam, the victim clicks on a link presented to them, only to be informed that they just entered a binding contract and are required to pay a registration fee for a service. Even though no money is legally owed, a large number of users prefer to pay up, because of potential embarrassment due to the type of service “requested” (e.g., pornographic goods). Using public reports of fraudulent websites as a source of data, we analyze over 2,000 reported One Click Frauds incidents. By correlating several attributes (WHOIS data, bank accounts, phone numbers, malware installed...), we discover that a few fraudsters are seemingly responsible for a majority of the scams, and evidence a number of loopholes these miscreants exploit. We further show that, while some of these sites may also be engaging in other illicit activities such as spamming, the connection between different types of scams is not as obvious as we initially expected. Last, we show that the rise in the number of these frauds is fueled by high expected monetary gains in return for very little risk. The quantitative data obtained gives us an interesting window on the economic dynamics of some online criminal syndicates.

In the family apartment in Tokyo, Ken is sitting at his computer, casually browsing the free section of a mildly erotic website. Suddenly, a window pops up, telling him,

Categories and Subject Descriptors K.4.1 [Public Policy Issues]: Abuse and crime involving computers

General Terms Measurement, Security, Economics

Keywords Online crime, web frauds ∗This research was partially supported by CyLab at Carnegie Mellon under grant DAAD19-02-1-0389 from the Army Research Office, and by the National Science Foundation under ITR award CCF-0424422 (TRUST).

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. CCS’10, October 4–8, 2010, Chicago, Illinois, USA. Copyright 2010 ACM 978-1-4503-0244-9/10/10 ...$10.00.

INTRODUCTION

Thank you for your patronage! You successfully registered for our premium online services, at an incredible price of 50,000 JPY.1 Please promptly send your payment by bank transfer to ABC Ltd at Ginko Bank, Account 1234567. Questions? Please contact us at 080-1234-1234. Your IP address is 10.1.2.3, you run Firefox 3.5 over Windows XP, and you are connecting from Tokyo. Failure to send your payment promptly will force us to mail you a postcard reminder to your home address. Customers refusing to pay will be prosecuted to the fullest extent of the law. Once again, thank you for your patronage! A sample postcard reminder is shown on the screen, and consists of a scantily clad woman in a provocative pose. Ken has a sudden panic attack: He is married, and, if his wife were to find out about his browsing habits, his marriage would be in trouble, possibly ending in divorce, and public shame. In his frenzied state of mind, Ken also fears that, if anybody at his company heard about this, he could lose his job. Obviously, those website operators know who he is and where he lives, and could make his life very difficult. Now, 50,000 JPY (≈ USD 500) seems like a small price to pay to make all of this go away. Ken immediately jots down the contact information, goes to the nearest bank, and acquits himself of his supposed debt. Ken has just been the victim of a relatively common online scam perpetrated in Japan, called “One Click Fraud.” In this fraud, the “customer,” i.e., the victim, does not enter any legally binding agreement, and the perpetrators only have marginal information about the client that connected to their website (IP address, User-Agent string), which does not reveal much about the user.2 However, facing a display of authority stressed by the language used, including the notion that they are monitored, and a sense of shame from browsing sites with questionable contents, most victims do not realize they are part of an extortion scam. Some victims even call up the phone numbers provided in hopes of resolving the situation, 1

Over the past five years, on average, 100 JPY≈ 1 USD. The Panopticlick project [11] aims to show that browser fingerprints can divulge considerable information about the user. However, none of the One Click Fraud websites we investigated appears to use any advanced browser fingerprinting techniques. 2

This is the author's version of the work. The original paper can be found in the ACM digital library: http://doi.acm.org/10.1145/1866307.1866310

and disclose private information, such as name or address, to their tormentors, which makes them even more vulnerable to blackmail. As a result, One Click Frauds have been very successful in Japan. Annual police reports show that the estimated amount of monetary damages stemming from One Click Frauds and related confidence scams are roughly 26 billion JPY per year (i.e., USD 260 million/year). The rapid rise of such frauds has led to new laws being passed [18, 20], to the deployment of police task forces specifically put in charge of solving these frauds, and to specialized help desks [16]. In addition, there have been so far, on average 657 arrests and 2,859 solved cases per year [15]. Considering the lack of technical sophistication needed to set up such extortion schemes, and the fact that bank accounts and phone numbers can be made very hard to trace in Japan (discussed in Section 5), it appears that One Click Frauds offer easy money to aspiring criminals. From a research point of view, One Click Frauds offer a unique opportunity for a case study in online crime economics. First, One Click Frauds, are extremely localized. We have not seen any instance of this specific fraud outside of Japan, presumably due to the fact that the scammers prey on unique Japanese cultural characteristics, such as respect of authority, or embarrassment at the idea of causing trouble. Rather than limiting our research, we view this local aspect as an opportunity. Indeed, because One Click Frauds are contained to Japan, and are almost exclusively used in Japaneselanguage websites, we can obtain a relatively exhaustive view of how these frauds are deployed and the characteristics they share, without the need for a complex measurement infrastructure. Furthermore, One Click Frauds, albeit unique, are very closely related to the body of scareware scams (e.g., windows popping up trying to entice users to buy fake anti-virus software) that are becoming increasingly pervasive, and we believe One Click Frauds offer an interesting insights into this type of criminal enterprise. The first contribution of this paper is to collect and analyze a corpus of over 2,000 reported One Click Fraud incidents, and to use the data collected to paint a relatively clear picture of the economic dynamics of an instance of online criminal activity. Specifically, we set out to answer the following questions: Who is committing these frauds? Are One Click Frauds the product of organized criminal activities, or are they more artisanal in nature, with many aspiring crooks trying their luck? How much do criminals stand to gain? Are there vulnerabilities in the network infrastructure (e.g., weak registration processes, easy access to compromised accounts, etc...) that are easily exploited by the miscreants? In the process of finding answers to these questions, a second important contribution of our paper is to provide monetary amounts, which help dimension the size of the One Click Fraud market, and the profits potentially made. While economic modeling of cybercrime has been an increasingly active research topic (see for instance [12,17,23,25,36]), we believe that obtaining additional measurements and clearly detailing the methodology we employ should help enrich our knowledge of how online criminal syndicates operate, while assuaging concerns on the validity of the estimates formulated [14]. Furthermore, some of the measurement methodology we employ is likely to be applicable beyond the context of One Click Frauds. Moreover, our analysis methodology can be helpful to law enforcement agencies. Law enforcement typically assigns different fraud instances to specific agents, who mostly operate independently of each other. However, we show that, by analyzing a relatively large dataset of frauds, we can extract characteristics that are not visible when considering smaller subsets of these frauds. These characteristics can in turn be useful to law enforcement in

identifying, and perhaps prosecuting, the miscreants behind these crimes [30]. The rest of this paper is organized as follows. We review the related work in Section 2. We then explain our data collection methodology in Section 3. We turn to analyzing the data collected in Section 4. We use this analysis to study economic incentives for the perpetrators in Section 5, before discussing the implications of our study, and drawing brief conclusions in Section 6.

2.

RELATED WORK

Moore et al. contend that online crime has become economically significant since around 2004 [23]. Hence, research in measuring the economic impact of online crime is a relatively recent field, but a number of papers on the topic have been published in the past couple of years. We present several important advances in the field in this section, and refer the reader to Moore et al. [23] for a more exhaustive treatment of the literature. Some of the pioneering work in the field has tried to quantify the value of fraudulent financial credentials as well as that of compromised hosts (“bots”), through passive observations. In particular, Thomas and Martin [31], and Franklin et al. [12] monitor IRC channels where miscreants attempt to sell commodities as diverse as stolen credit card numbers, bank account credentials, or email databases for spam, to obtain estimates of the value of these items as well as the volumes of the market associated with exchanges of such goods. Along the same lines, Zhuge et al. [39] describe how criminals operate in Chinese underground markets, and provide some insight regarding some of the goods exchanged in these markets by monitoring web forums where such items are advertised; a particularly popular item appears to be forged or stolen online video game currency. Passive monitoring, as discussed above, has been criticized for only measuring advertised prices, as opposed to actual realized sales [14]. A more recent line of research addresses this concern by actively participating in the online exchanges, by essentially “hijacking” some of the infrastructure used by miscreants. Kanich et al. [17] infiltrate a large botnet, and modify some of the spam traffic generated by the botnet to redirect purchases to a server under their control, thereby acquiring data on spam conversion rates. The key insight is that 350 million spam messages sent resulted in 28 sales. In other words, Kanich et al. measure very low conversion rates in their experiment. But, considering the cost of spam is negligible, and that bots can be used to generate other forms of profit (e.g., phishing site hosting), spam remains a relatively popular form of crime. Furthermore, a study of spam on the Twitter social networking site [13] shows considerably higher click rates (0.13%) than previously observed in email spam, which illustrates that spam remains economically relevant. Other relevant measurement studies include a botnet take-over described in Stone-Gross et al. [29], who monitor the type of services supported by the Torpig botnet. In a similar vein, Wondracek et al. [36] focus on the economics of the distribution of pornographic materials, by covertly operating an adult web server. Perhaps closer in spirit to the methodology we employ in this paper, a significant body of literature [21, 22, 24] is devoted to quantifying the economic impact of phishing scams, as well as the modus operandi of the attackers. One of the main outcomes of this line of research is to evidence that a large proportion of phishing activities are carried out by a modest number of phishing gangs, who use relatively sophisticated “fast-flux” techniques, where phishing sites are used as disposable commodities hosted on compromised hosts. This body of research puts the number of phishing web-

sites at around 116,000. Likewise, Moore and Edelman [25] gather a large corpus of data on typosquatting domains, to quantify the economic value of such sites, as well as potential disincentives for advertisement networks to intervene forcefully. Finally, Provos et al. [26] provide a comprehensive overview of web-based malware distribution, showing that there are in excess of 3 million web pages attempting to infect their visitors. The work we present here is complementary to the existing literature. To our knowledge, this is the first time One Click Frauds are analyzed from a quantitative and technical perspective. (Research on the legal ramifications and countermeasures, on the other hand, has been active [18].) More generally, we focus on a relatively contained instance of a scam, and attempt to gather both economic data (potential revenue, deployment costs to the perpetrators...) and structural data (number of players, relationships between players, ...) through a systematic measurement methodology, which we believe can be useful beyond the study of this specific fraud.

blog, where the website owner periodically posts notifications in a fixed format. Outsiders cannot directly post to the site. Parsing the data from Wan-Cli Zukan and Koguma-neko Teikoku is straightforward, as both sites use a predetermined format for all posts relevant to One Click Frauds. Likewise, the data is of high quality. Randomly sampling the reported sites, we did not find a single instance of slander – i.e., benign sites which would be reported as fraudulent. Either the sites reported were, indeed, hosting One Click Frauds, or they had been recently taken down.

3. DATA COLLECTION To find instances of One Click Frauds, we rely on public forums which report fraud incidents, along with details regarding the website being used, the amount of money extorted, as well as fraudster contact information (bank account number, phone number, ...). We collect data from three public forums: 2 Channel BBS [5]: The largest bulletin board in Japan, which provides discussion threads on various topics ranging from Japanese anime to sports. Several ongoing threads are dedicated to exposing One Click Frauds. Koguma-neko Teikoku [2]: Privately owned website providing help to solve consumer problems related to online activities. A section of the site is devoted to describing One Click Frauds, including information about scam incidents. Wan-Cli Zukan [7]: Privately owned website solely devoted to exposing websites partaking in One Click Frauds. Collection methodology. We gather data posted on the three websites we polled over a period of roughly three years (2006-2009). Specifically, we collect 2 Channel posts made between March 6, 2006 and October 26, 2009, Koguma-neko Teikoku posts made between August 24, 2006 and August 14, 2009, and Wan-Cli Zukan posts made between September 6, 2006 and October 26, 2009. All in all, we gathered 2,140 incident reports. Collection of this data took place between May and November 2009. While it is difficult to determine how exhaustive our data collection is compared to the total number of frauds perpetrated, we note that there is a significant overlap in the data provided by all three sites, which indicates we probably captured the most successful frauds, and that our coverage is likely adequate. Initially, we also tried to extract information from data provided by the Japanese police [32]. Unfortunately, these reports are in image format, and do not contain much actionable information, even after using optical character recognition. Indeed, most of the interesting details (e.g., bank account used) are often not divulged. Data parsing. The three sites present marked differences. 2 Channel is based on anonymous postings from various users who have encountered a One Click Fraud website and post notifications to other users. Due to its popularity and large user base, 2 Channel contains a wealth of information. However, because 2 Channel threads are essentially an open discussion, parsing the data for useful input is challenging. Koguma-neko Teikoku is also a collaborative web space, but, different from 2 Channel, Kogumaneko Teikoku requires posters to input information about One Click Frauds in a specified format. Finally, Wan-Cli Zukan is closer to a

Figure 1: Example of 2 Channel posting. The lack of structure makes parsing slightly complex. Here, usable information is only contained in the squared area; oftentimes, formatting is even more haphazard. On the other hand, 2 Channel is considerably more challenging to use. An example of 2 Channel posting is shown in Fig. 1. Since the data is not formatted according to a specific standard, we have to perform some basic text segmentation. Adding to the difficulty, is the fact that the Japanese language does not have a rich set of punctuation rules. For instance, words are rarely separated by spaces, there is no capitalization, and most characters have a couple of different readings depending on the context. Furthermore, in forums like 2 Channel, specialized slang and abbreviations are the norm, rather than the exception. To perform text extraction, we use the MeCab parser and data analyzer [4]. MeCab extracts Japanese characters into semantic units. This allows us to obtain a list of tokens, such as “ginko” (bank), “Sumitomo” (name), “hutsuu” (usual), “1234567.” We can then perform context-dependent parsing. The previous series of token tells us that it is highly likely that the poster talks about a “usual” checking account number 1234567 at Sumitomo bank. Despite the added difficulty of parsing 2 Channel threads, we did not encounter any erroneous or libelous postings. While a certain level of verbal abuse is present in such an unmoderated forum, it is easily separated from relevant information, once text segmentation is performed. Extracted attributes. For all three sources of data, after having parsed and cleaned the input, we extract the following attributes: URL of the fraudulent website; Bank account number given by the fraudster for remittance of funds; Bank name; Branch name; Account holder name; Contact phone number; Registration fee requested (i.e., amount of the fraud). Some of these attributes (e.g., account holder name) are probably fake. However, for the fraudsters to be able to receive money, the financial information has to be genuine. Likewise, contact informa-

Data source 2 Channel

N. 1077 Unambiguous, w/ URL Unambiguous, w/o URL Ambiguous, w/ URL Ambiguous, w/o URL

records

Registrar

353 174 218 332

Go Daddy ENom Tucows Network Solutions Schlund +Partners Melbourne IT Wild West Domains Moniker Register.com Public Domain Registry

372

Koguma-neko Unambiguous, w/ URL Ambiguous, w/ URL Ambiguous, w/o URL

2 362 8 691

Wan-Cli Zukan Unambiguous, w/ URL Unambiguous, w/o URL

632 59

Table 1: Number of extracted fraud incidents from each source. tion (email and phone numbers), when present, is usually accurate, as miscreants provide the victims with a way of “calling back” to further their social engineering attacks. Table 1 describes the number of fraud incidents that we extracted from each of the three sources of data. Note that, these sources are not mutually exclusive. In fact, we have significant overlap between the different sources. Second, the raw data that we extract needs to be cleaned up significantly. A number of records are incomplete to some extent (missing phone number for example); out of these incomplete records, particularly problematic are records that do not contain a URL field, as the existence of a fraud cannot be verified. In addition, a number of records are ambiguous in that some fields have more than one entry. For instance, a given post may contain one URL but several phone numbers. Most of these records need to be scrutinized manually, to check whether parsing was done correctly and whether the record indeed contains several fields. All results are stored in a MySQL database. We illustrate a typical entry in our database in Table 2. To help make our experiments reproducible, we make a copy of a dump of our database available (in gzip’ed form) at http://arima.ini.cmu.edu/ public/oneclick.sql.gz. After having cleaned up our original dataset, we use the extracted URL to infer the domain hosting the fraud, and, whenever possible, to obtain registrar (“WHOIS”) information. We also periodically download the corresponding website (using wget in recursive mode) to check for potential changes indicating a take-down, and to check for the presence of malware on the fraudulent site. Note that, due to the time interval (three years) over which incident reports we collect were reported, a significant amount of data points to sites that have long been taken down. Thus, a number of records are hard to verify and may be missing information. For example, we have a smaller number of entries with valid DNS domain information, compared to the number of incidents reported.

4. DATA ANALYSIS We next turn to analyzing the relatively large corpus of One Click Frauds we gathered. Specifically, we seek loopholes in the infrastructure that attackers are able to exploit. We then try to assess some of the characteristics of the online criminal market behind One Click Frauds, and in particular, investigate whether some miscreants are responsible for several frauds. Last, we try to determine whether fraudsters engage in other illicit activities beyond One Click Fraud.

Market share [35] 29.08% 8.30% 6.82% 6.06% 4.38% 4.34% 2.89% 2.43% 2.40% 2.17%

Registrar ENom GMO Internet Above Go Daddy Tucows Key Systems New Dream Network Abdomainations All Earth Domains Dotster Moniker OTHER

Prop. of frauds 47.56% 17.48% 5.14% 4.11% 3.34% 2.83% 1.54% 1.29% 1.03% 1.03% 1.03% 13.62%

Table 3: Registrars used in One Click Frauds. The left table shows the market share of the 10 most popular registrars (and thus does not sum to 100%). The right table shows the 11 most frequently used registrars in One Click Frauds, along with the respective proportion of frauds they host. Numbers are obtained out of the 389 fraudulent domains for which WHOIS information was accessible.

4.1

Infrastructural loopholes

We start by checking our data corpus for evidence of repeating patterns in the attributes we collected. The idea is that, departures from usual patterns may indicate evidence of vulnerabilities in the infrastructure. If, for instance, a disproportionate number of frauds uses bank accounts at Bank X, one can reasonably infer that Bank X processes for identity verification and account establishment are flawed. We first consider the phone numbers used by fraudsters. We are able to identify the phone number used for callback in 516 separate incidents. We check the phone numbers in our database against the phone number ownership list published by the Japanese Ministry of Internal Affairs and Communications. We find that 38.6% of the phone numbers used in One Click Frauds are au cellular lines, 23.3% are Softbank cellular lines, and 16.5% are local landlines for the Tokyo area. A 2009 report about the Japanese cellular phone market [34, pp. 78–79], tells us that au has about 25% of the market share, while NTT Docomo represents about 50% of the market. So, it appears that au cellular lines are significantly targeted by fraudsters. Whether this is due to lax registration practices, or to easier access to compromised lines, is unclear. The large proportion of Tokyo numbers may be explained not only by the amount of population in that area, but also by the fact that most forwarding services, which redirect all incoming calls to a different number while preserving the anonymity of the callee, use Tokyo numbers. Next, we identify the bank used in 803 separate incidents. We observe that online banks tend to be slightly more represented in these frauds than their actual market share should warrant. For example, 116 frauds (14.44%) use the online Seven Bank. On the other hand, this bank does not have as significant a market share in Japan [34, pp. 82–83]. eBank and JapanNet Bank are two other examples of online banks used at a notable level (around 3%) in One Click Frauds, while holding only a small market share. A possible explanation is that online banks do not require a physical interaction to let individuals open an account, and are thus potentially more prone to abusive registrations.

ID 370 Branch Koenji

Date posted 2007-02-03 00:00:00 Acct. Type Checking

URL http://www.331164.com/ Acct. Number 7184701

IP 69.64.155.122 Acct. Holder Takahashi, Mizuki

Email [email protected] Phone # 080-5182-7956

Bank Sumitomo Mitsui Fee JPY 88,000

Table 2: Example of database entry. Note that not all attributes can always be extracted.

40

do 3. co m n. co m

ai

om an .co m 80 co de .co m

sponse with invoicing details. A simple money transfer was all that was needed; and this could be performed anonymously by using cash at a convenience store. The reseller promised the site would be up within 30 minutes of the payment being sent. No identity checks were ever performed. In other words, this specific reseller appeared to be easy to abuse for fraudulent activities. While we have not attempted the same type of test with the other “popular” resellers, we venture to guess that their registration processes are likely easily abused as well.

lli tre

−p as

ix ed m

ed ia

m

.n et

ho s t.

co m

sm dn ov sv x. ie jp .c

5

fre e

10

m

15

dr ea

20

ue −d om

25

ai

m

30

va l

Number of websites hosted

35

0

Figure 2: Number of websites hosted by the resellers used in more than one incident.

We observe even more interesting patterns, when we look at DNS registrars and resellers that are abused by fraudsters. Table 3 compares the market share, as of Nov. 2009, of the top domain name registrars [35] with the proportion of registrars used by domain names participating in One Click Frauds. We are able to identify the registrars used in 389 incidents. We note that ENom is apparently much more victim of abuse than other top domain name registrars. Likewise, Above and GMO Internet rank highly with fraudsters, while not having significant market share. This result can indicate one of two possibilities: Either these registrars have very lenient registration policies, or they entrust some of their domains to resellers that are not perfectly scrupulous. To find out which domain name resellers are used, we examine the DNS field in the WHOIS record associated with the domain used in each One Click Fraud. A large number of sites we investigate have been taken down (particularly those obtained from 20062007 sources). In some cases, though, the One Click Fraud sites have been replaced by domain parking pages, and thus still have valid WHOIS information, which may reveal information on the reseller used. Another large number of sites use either their own DNS server, or free DNS services like opendns.com, and are thus discarded from analysis. We complement investigation of the WHOIS DNS fields with a simple reverse DNS/DNS lookup script. For instance: dig +short admovie69.com | xargs dig +short -x yields ikero.dreamhost.com, which tells us the web hosting service is dreamhost.com. We eventually manage to identify the resellers in 97 incidents. In Figure 2, we graph the number of at resellers that are used in more than one incident. We note that, for our successful lookups, a couple of resellers (maido3.com, value-domain.com, ...) appear to be highly represented. They tend to be cheap resellers, with lax, or absent registration checks. Specifically, we investigated further maido3.com. We used a disposable email address to request rental of a specific domain name and server space. We used a fake name, address and phone number, which could have been easily spotted, as the address was that of a famous subway station. We received an immediate re-

4.2

Grouping miscreants

We next attempt to determine whether we can find evidence of organized criminal activities through miscreant behavior. In this paper, we qualify by “organized criminal activity” large scale operations involving many frauds, using a considerable number of bank accounts and stolen or abused phone lines, and possibly coordinating with other organizations to deploy malware or share stolen information. We contrast such large scale operations with those involving only a couple of sites. Methodology. We define an undirected graph G = (V, E) as follows. We create a vertex v ∈ V for each domain name, bank account number, or phone number our database contains. Then, we connect vertices belonging to the same fraud with edges E. For instance, if our database contains an entry for a fraud hosted on example.com, with bank account number 1234567 and phone number 080-1234-1234, we add (v1 , v2 , v3 ) = { example.com, 1234567, 080−1234−1234} to V , and three edges (e1 , e2 , e3 ) = {v1 ↔ v2 , v1 ↔ v3 , v2 ↔ v3 } to E. Note that, by building the graph G in this fashion, two nodes of the same type (domain name, bank account number, phone number) never link directly to each other, but can be connected through an intermediary. For example, two websites using the same phone number result in a connected path between the three concerned nodes. One natural question is why we chose not to link two different domain names pointing to the same IP address. The reason is, that we realized that this happened sometimes for sites that were markedly different, only because they were co-hosted on the same machine by a common reseller. In other words, both incidents shared the same web hosting provider, but were not related otherwise. We decided to err on the side of caution, and not to consider identical IP addresses as a strong indicator of identical ownership. Parsing the entire database yields a graph with 1,341 nodes and 5,296 edges. We first isolate 26 “singletons” representing connected subgraphs containing at most three nodes, and at most one domain name, one phone number and one bank account. These singletons represent incidents that we cannot connect to any other fraud. All “one-off” scams fall in this category. Excluding the 26 singletons, the whole graph G contains 105 connected subgraphs (“clusters”), with sizes ranging from a couple of nodes and edges to a large cluster containing 179 nodes (56 domains, 112 bank accounts, 11 phone numbers), and 696 edges. We plot the graph G in Fig. 3. While the specific domain names, phone numbers, and bank account numbers are not readable at this scale, we can clearly distinguish the connected subgraphs, which

angel−blog.jp

franky−tube.com

0352183

0414092

441583

0331261

cutieluv.net

08011594469

0363802956

0225110

7160136

5329658

1619457

himawari−blog.com

0792520388

1641074

hanabi−don.com

bukkakex.net todaysmovie.sakura.ne.jp

todaysmovie.net

1470805

8860037

0386661

1078564 0358519965 moon−a.com 8842125

a−milk.net

09091503831 1953945 5317013 1657050

nip−go.net ad−hole.com

1209448

bubble−gum.jp

6311731 0894719

jannie.jp

2037698

1611762

204246 357089 little−ag.com

3956232

beguru.jp

7595857

1351803

subi−ing.com

juku−juku.com

movie−love.com sexy2.jp

1340013

374480

cha−nel.jp

0358519962 0332860

bubuko.jp

tirallin.com

1637788

alsoira−p.com

1391139

a−file.net

5333906 a−vivi.net coro56.com 5092915

1494273 3156739

0120555061

tv−adult.net

meron−pan.com

1194160 pyuride.com 4099066

347670

avclinic.net

1638224

7019885

best−mov.com

cinderella−movie.com

nurenuremanko.com 0351715

3779326 1999395

idol−douga.jp

3161820

4041614

hateblog.jp

346902

08031241652

1675648 216072

08065323977 mermaid−haisin.com 7810164

adult−collection09.net

1078676

08011659432

0330248

info.net

1426302

0358519964

0358519961

09088123505 5329569 341687

4044113

1418160

0157663

0120540940

4032599

grin−2.com

0349541

7696035

adult−dream.net

5328716

cheezu.net

0340035

gal−star.com

370195

adult−player.net nasubi−ing.com

1219556

5092923

1633117 peppar.jp

aitaiyo.jp 1637730 9061683

paradise−fish.com

bettyser.com

5092702

376896

08053424771

340276

1164647 0332144

cherry−move.com

0346902

frury.com masa−mune.com

280138

428410 2425448

08034984656

3099458

0208028

love−gal.com

375644

puni−2.com

e−sweets.jp

5329542

love−aware.com 0588566

yamato71045.com

mmbga.jp 08065257334

nyaa−nyaa.com merumon.com

1012826

7716465

lovechop.net

value−engineer.com

0423842

8696942

1518850

210943

5379464 adult2.net

0339501 slim−slim.jp

1487263

imazin.net

1010447

1651498

1865756

1950977 3441540 1759710

5340708 0360423

0358199234

05055330214

1083439

4084239

h−−ko.com

4539234

09017051122

08066575324 1185845 utubu.net

moe−moe.cc

whitelover.net

08066189305

0388841

itigo15.jp

5093385

3566662

0232729 0353528

cherry−love.net

douganews.jp

entameblog−seasea.net

8453987

09035485924

5336328

4073881

3375458

0359850337

0384968

312788

5543841

1391210

eroscamp.com tendencys.com

722297

08066246703

qq−o−pp.com

389841

3175577

0120964819

0388018

malilin.net

cross−road.info

294566

qqqja.com

3011261

340312

entainfo.com

nixy.jp

0280138

0314398

382437

1125163

08035251179 6311758

free−dom1.tv

08033857316

1439051

6320366

1640981

343691

2688261

0120948843

0350164

cross−mode.net 11066531

ero−para.net

0388369

3271716

0354160

5333884

5095507

banana−gal.net 0475367

baxxyy.com

0465175

344238

5333281

0418224

0589849

prinprin.net

5096597

241683

global−hotline.org

08032515119

5091951

0325032 0333212

235900

0359389

club−cc.com 7630009

0372671

1670973

anything−c.com 08053422904

makkey−k.com

hi−quality.net 0383644

1998870

08061313149

bi−tiku.com 5421018501

8140429

chocoblo.com

0344784

7222297

tikantitai.com 08056979249

1806363

4746756

08012452071

0388902

1482222

6618793 movie−pie333.com 08061313142

0001963

entarou.com

2063510

smile2007.jp

1641759

0251320

08034984657

1406720 4538271

entameparadise.com

1740643 5328724

fresh−tube.net

1644890

8476199

0624983

0209571

08035910928

5339815 5262219

eroerolove.com 0388570

3969268

0340004

09099538764

nurevideo.com

oreoreo.net

0387134

moco−2.com

5319725

371234

sexy−pororin.com 4032244

muchihip.com

0326316

1998098

0387133

3079568

0014313

hamepara.com 4093947

anahime.info

1090428

08038207711

1051811

5335194

5333892

0329405

5332951

08054299771 adult−princess.com

0354038

ss−class.com

campus−love.jp nukimedo.net 6649945 5046551

0661853000

2172159

3855981

5319717

09093671734 hanabi−after.com

6338532

1455876

0404455

5329704

porollin.com

0344238

adult−moody.com

0353548

mukekuri.org

hamekura.com

4090697

0120166335

1086185

5333931

mcnsd.com

0358475699

1477522

marmaid.cc

kiss−of−adult.com 1414113

5093369

0448745

0331970

5343057

08020542531

h−love.org 77756

1452331 2660037

5329909

3173405

08032435833

7251423

0344551150

angelsabc.com

1492268 0363806168 1627942

1290679

0350269 1941897

0658736

okazustation.com 1628498

erumo.jp 6746509

7700913

2013974

bisyo2.net

0363806070

mac−mac.jp

0357744311

entaenta.com

4695553

4053334

lady−impact.com 09083035035

09029127977

09035487922

april1980.com

ss−class.net 0493515

2833320

6523649

345041

09055871914

09060167620 8226311

march−2008.com

channel.jpn.ph

honeypoo.jp

erojiro.com 08055079961 0359999229

3481058

adult−dougaga.com

yaplog.jp

0404128

lovediscovery.net

2952751

vvindows.jp

oman5.com 6044604

09012122826

4017085

08068165797

channel−av.net

rivianan.com

5333485

4087416 08065409987 nureyubi.org

movie−h.com

4040027

geinouflash.com

1065019 3095372

1237177

1634727

09018030721

09047285631 hot−spot.cc

1801712

quicklegs.org

mokko−gals.info

dougadx.com

akume55.net

8290452

2313128

ktkr.cc

adult−55.com idolroom.net hitodumah.net

deepero.net 1107515

baby−cat−be.com

0384305

otakara−max.com

mihoudai.com

be−movie.org

1521668

0411692

sagjo.com

sweet−tenn.net

09017729724

6811034

idol−mania.net

kaZnetmovie

1383371

news−club.jp

3783847

deeper.bz

bgmovie.org

1609126

girl−mix.com

5157963

nozokix.cc

1734316

3146656

onaona.org

m−hunter.net

1583507

bm−mov.com

m−o−v−i8−es.com 0364576191

09045665062

mv69.org

admovie69.com peroman.net

5313573

469831

honey−cute.com

mv−love.org bgmv.net 0352925692 1301074

3510627 1005560 1143219

1383733

star−77.com

337767

pineapple−express−the−movie.net

rev−02.com

6672662 erogazo.net

0364576188 orange−girl.net

mvx55.org

08054295269

big−pink.net

4037555

erostube.muvc.net

433515

8094341

8975641

3494150

h093.com gal−xx.net

goo−leak.com

1739475

candysweet.cute.bz

girl−box.net

mv−hunter.com

0120696403

09044522789 ero−anime−star.com

candy−sweets.net

6954047

hasikue.net

d−xxx.net

nukikko.net 4079227

0360843

0120964231

2182619

mania4u.net

tere.site.ne.jp

4443129

0359445 0369194966

1120635

08012315407

09038178656

av−flash.net

09060439730

movie−tubes.com

4058108

09061234110 0450617

bmov.bz

08055089225

2578585

1887032

aneona.com movierock.info

1648593 adult−ch.com

cyberpro−wingsmember.com

vip−ch.com

3803329

coolwatch−dramaplayer.com

fpretty.net

chizyo−takyuubin.com 5416593

gazobank.net

3103382 3091434

crystal−mv.org

4068802

temomin.net

eroking.net adult−maniac.com

wink69wink.com veoh−box.com guba−cafe.com

0396753

view−break.com

aidol−o.net

0334074911 3698289

dlxmovie.org 8410192

0398437 8538560

myvideo−viewwatch.com

ero−izm.com

fmv−str.com

samehada.com

359445 tokyo−vi2.com

olioli0.com

0412752

5242684

free−wmv.org

f−xxx.net

frx−video.info

strmv.org 0417728 e−adults.net

1121928

4044638

freehp.cc 5337294

5339572

eroerotv.com 6583868

2222472

4045172

0421581

1869828 kakecat.com

0776395 7361520 gi2a.net

0354671057

09061860948

f−cute.com

fxe.bz

mvdx.net 1933624

high−time.jp

08065329727 0349375

0338530

x69xforyou.com

nkjnk.com

runkhead.net 4082665 1619966

d−per.cc fe7.org

elephin.net

09017387584 8042012

4370852

5340104

erox−mov.info

cream−angel.net

srmov.net

erocinema.net 09012739052

sexy−shake.com

8065331

0321104

eroero−movie.net

08067622371

hs34.drive.ne.jp 1529859 5165068

ozari.com

0425703

4045610

6985815 shin−girl.com

1144859

4009193 erotown.biz

1780456

eroing.net

eroooo.com

main69.sc

extasy−sp.com

6992785

09018377611

m2mv.net

pinky−camera.net

o1111.com

1556604

2878099

ony−hand.com

cos.com 0403850

2866908

1535848 2824040

manko−siohuki.com 0353389795

10228026

x−archive.info

2012854

download−page.net

puru−2.com

0303133

angel104.com

602741 triqwe.com

nuki−movie.com

1829553 0383656

pearl−movie.net

6580923

pakipaki77.com

ureqky.com

cherryboy.jp

2000207

1352754

0333718464 08038262976

eroero−story.com elite−elite.jp

5341747

09018376843

4029118

4648516 340174

0222917

0378050

5297837

goldmedia9.jp strmovie.net

306390

heidi−alps.com

3324574 363010 mov−x.org

erowiki.net

otkrd.net

09065662100

09047379105

tinko4545.com

shakuhati1919.com

ee−movies.net

o−takara.org

bb−download.net

1040522

4076368

free−tube.girls−jp.com

1622740

419223

08040118481 download−max.net

595799

0402931

q−vide0.com

08038254756

splash−net.jp

ari−.com

bottob.net 0387486

5340724

4941192

7769426 0120078310

8083492 0369632

0306583

ex−d−ex.net

2312521 o−tin.com 1647361

0347916

4040791

0598054

35122

1601834

0120100479

dream−−maker.com

momoiro−time.com 0029786

5101517 1453920

0354562488

6232755

zest−movie.com 08054597956

1221882

cokimaro.com

4584380

medo−hole.org

movie−factory2.net

6341843

5336573

3660931 0353530

mega−movies.net 0385093 0318332

1028012

09061861058 0385094 1630265

movies−max.com

0385203

muteking.com

0369129513 oppai777.com nurenure−movies.com

download−vi.net

0351310

eroero−aidol.net

0563215

adult−juice.net 1813378

moro−movies.com

5318168

0343550

cherry−pie.info

5336778

3213568 free−share.jp

1103645

9985692 08035110306 0104697

1458789

1238350 0358425

0362689 0364500337

1369144

0225244 0364500338

adult−69.com

0312320

ananan.biz

0727136

1343757 yamato.power.ne.jp

0387514

1030147

7541792

4038252

08012493978

0292684

0135448

6948954

playgirls.cc

0050056 lastsong2007.com 0348126

1537062 5337316

5341071

0120707473 1659678 08013471667

adult−99.com

0333082

1928070

ad−sexy−gallery.com

1648063 0298759

a−mn.net

478971 ero−max.biz 1767396

1929784

1635833

0162390

1064348

1637561

08013416995

09040026096

6547551

0406009 230141

2348872

ad−maruhi−club.com 5323609

peach−candy.com 08066293236

good−eros.com

0326011

all−look.net

09044356307

0315494

09064957153

0163237

2808142

382555

pichipichipi−chi.com

cute.fm

0387239

specialdouga.com

08035110321

0161761 0371964

1105738

09061860949

beauty−movie.com

0561112

09098068443 8459883

daichuki.net

0385858

0387480

5317757

0286196 ikuru−to.com

2124627

2039800

sexyhathurathu.com

6630471

0361645

pussy3.net

blog−ex.jp 0154039 0503632

0339477

0373205

0385460

0347038 mars.server.ne.jp

0385099

0063338

arukonda.com

saunin.com 0403627

0380906

0389994

3878842

0356547159 1120502

okazu−ch.com

5336565

cyuraman.com

5321550

0120540412

0145000

gazo−xxx.com

pink−gals.com

adult−vision.net

3114035 hippai.net

0354283294

0331806

5218287

3077810 1613892

movie−downloadpage.com

0393511

2122373 08051893069

334604

0354456

08051827956

09098057510

4049462

0382799 h−erorist.com

eroize.net

5097338

08066789998 kyoto.direct.ne.jp 1434040

4044105

manboo.org

6964085

08013481402

nakatayu.com adult−moviespecial.com

ero−station.net

0343433

tadaudo.com

08051825872

momotube777.com

0441247

1161106

0478971

0400517

3262040

0354283599 1096017 1176575

5244068

1036604

.info−e.net

sexsexsex.bz 1033360

8455994

nishinom.uuuq.com

0375460

3479977

click−gazou.com

doshirouto.net 5338576

1056961

2051963

adultportal.bz

0261679 3348130

movies−navi.net

otakara−com.net

urageinou.com

syogekiotakara.com 7552399 1369219

7019393 5878056

0069417

1647116

6132458

1126505

geinoulive.com

1702309 6239687

08030288578

hiroimonoblog.com

1953517

hitozuma−jukujo.com

5392821

uploadotakara.com

7512014

freefree−geting.com

shirotopara.com

5084203

e0721.com

08067744832

e−horidashi.net

1680370

sukebe4545.com

1343544

1447503 freemovieshelter.com cupid−f.com

0104838

purememo.jp

nurunurujp.com

treasuremovieplayer.com

index−pv.com

pyupyupyu.net

0084305 5213007 0343162

1507237

hwrws.com 1997477

2429766 4467772

6966760

1647622

paradise−cafe.tv

0352924176 tokudane.cc

09034142427

08066293227

1658483

2429774 5346307 1502037

2683998

kamehamema.com asite2006.com

adult−media3.com

0421384

milkpai.net

1691135

333289

afg.adfack.com 0175290

ctg.adweeb.com

5695927 09034178215

petit−devil.com

sikosiko55.com 0387595

4058270

0337680 tch.adweeb.com

08066164856

geinoudaisuki.com 1404764

pink−apple.net

08061148266 garumin.com

0426326

6599861

0577251

0357849501

0402084

0306538

onanny.net

tohkof.adfack.com

shake−hip.net

0525881

ree.adweeb.com

0357849235

5342131

gss.adweeb.com

8059603

3442456 materiaru.com

0388662

1267396

0388283

jyukujo−hitoduma.com 0374643

0120937959 4026601

apk.adflash.net

4026092

09094023036

09010425485 fgter.com

bfg.adweeb.com

08061332300

3791080

0352343

0284256

5337731

0425520

takuero.com

adalt−world.com

boinpururun.com

0352924109

tst.adweeb.com

1629329

09058210093

0352924033

love−green2.com

tpl.adweeb.com

0558445

6191072

wintube.net

0583821

4084869

09098564796

6476397

0387593

lovelyhoney.adgoo.net

1015584

youradult246.com

0179561

0293921

3532049 08067242335 .eromajin.net

gsg.adweeb.com

1473244 0451712

1633362

2452834

0376574 1623524

hat.adweeb.com

hame.adflash.net

09084891165

hamebank.adfack.com 6600282

08053276846

5406408

tom.adweeb.com

idol−get.net kewpie.tv

2848342

4993545

2066983

0274806

0335845177

starpeach.net

1182422

09017936613

hcl.adweeb.com

0389948 geinouplus.com

youxtube.org

7685526

0374386

pararin.net

trinions.com

4601959

stx.adfack.com tof.adweeb.com

113095

1414431

5374157

1717689

3039599

08065920249 galooon.com videochannelfile−mackintoshlive−movie−tv.org

douga−dx.com

3379998 8506951

yourtubefile−userforplayer−live.com

1174307 0437281

okazumovie.net

okazu−movie.com 09029094733

3509866

wintube.info

1611645

mycast−watch−tv.com

tohsen.adgoo.net

08065290249 dougadx.net

6099079

forjustvideo−javadownload−watch.info

cross−mode.com

0382127 0445224

0164722 0414077

1166179

3969195

3090009

0335604975

shibuya−supa.cocolog−nifty.com samplefreemovie.com

4517418 inf070614.com

r18shitei.com

1221456319

05055335807

0630719

4062966

0338829851 1970262

0350762

08065306995 sweet−tube.net

4087017

youtude.name

2004024

0001682

0354598 0339320

1556490

0100145

1805992

yaritai.jp

4035520

1281040

yariyari−doga.com

08065920448

impactfreemovie.com

pp−juice.com

blog.kimikasa.com

6309257

he−collection.net

08034562094

1249683

0359850128

1022465 1038001

0383417

3008409

0339122

2005096

1776495

3032557

5372812

0300391

exite−tube.hot−jp.com

e−gossip.net

onaona−doga.com

0329168

youtude.jp

8918683 08036386304

love−cast.net

3107493

0507462

0187633

0279570

3177715

movie−adult999.com

eroeromax.net

7202108

cbehs.com

08067403774 08066706829

0375568

xootech.net

adult−fish.com

1080791 0352180

5651810

1663667

mediachannel−windowslive−tv.net

4021054

pure−doga.com 0357505273

nukenukidoga.com shirouto−av.com

softnbank.com

v−gallery.net

ero−gappa.net

ero−tube.jp

08067441280

0272017

eroceleb.net

0638152

adult−007.com

0358475692

09061017344

2551129 0062260 2046533

9348390

mo−movie.com

0353021978

1662373

3131092

6723957

venus−gate.info

1632202

0451981

1282599

7027611

0362807977

09065000870

0338829852

0333758325 moe−roli.com

h−tuma.net

0362807950

1471895

0120404306

5392597

onenight−movie.com

brabus.xsrv.jp

7864096

Figure 3: Clustering of 1,341 nodes representing 481 domains (ovals), 684 bank accounts (triangles), and 176 phone numbers (small rectangles). Links connect nodes found in the same incident. We obtain 105 clusters containing more than one node, and 26 singletons (omitted from the figure). Additional grouping by malware used allows to link six of these clusters (represented by thick dashed lines), and additional grouping by strong similarities in WHOIS registrant information allows to group another set of seven clusters (represented by thick dotted lines).

are ordered in separate boxes in the figure. The presence of large connected subgraphs (e.g., top right) indicates that some miscreants are operating a large number of sites, and are reusing phone numbers or bank accounts across several sites. While it could, in theory, be possible that two completely different criminals share an identical bank account number, we reject this hypothesis, as the bank account numbers used have to be valid for the criminals to collect their dues. Hence, a shared bank account number means that, at the very least, the miscreants sharing the account are in a tight business relationship, and probably are the same individual or group of individuals. Likewise, because phone numbers used in these frauds are genuine, reusing the same phone number across several frauds indicates a business relationship between the perpetrators. Malware. We further noticed that websites from the second largest connected subgraph were still alive as of Nov. 2009, indicating that the fraud continues unabated. As mentioned earlier, we downloaded the entire contents of each fraudulent website listed in our database. We found that a small number (14) of One Click Fraud websites contained some malware. Specifically, some of these sites contain a virus named Trojan. HachiLem. This is an MS Windows executable file which is posted on these sites as a “mandatory video viewer plug-in.” Once downloaded and executed, this virus automatically collects email addresses and contacts stored within Outlook Express or Becky! (email application popular with Japanese enterprise users), and sends the collected information to a central hachimitsu-lemon.com server and, possibly, to another machine as well. The collected email information is in turn used to blackmail victims and notify them they owe the website registration fees. Interestingly enough hachimitsu-lemon.com has not been a valid domain name since, at least, early October 2009, but a report about this virus was posted as recently as Oct. 26th, 2009 on Wan-Cli Zukan, indicating that this virus is still mildly active. Another group of sites contains a simpler, less intrusive form of malware, which modifies the Windows registry entries to display a pop up window reminding of the registration fee due upon boot-up. Additional clustering. An interesting feature of the sites hosting the Trojan.HachiLem malware is that they all share strong similarities in their WHOIS records. For instance, the technical contact phone number field contains is identical (+81-6-6241-6585). While it is likely a bogus number, this similarity, coupled with the presence of identical malware and overall similar appearance of the different websites involved strongly suggest all sites are operated by the same group. We can thus relate six connected subgraphs to each other, represented by the dashed boxes in Fig. 3. We further look into WHOIS information details, and notice that a number of registrant entries shared similarities across seemingly different incidents. For example, we found a number of entries with identical (bogus) contact name, email information, or technical contact phone number. By grouping this entries together, we can link seven connected subgraphs, represented by the thick dotted boxes in Fig. 3, to each other. Fraud distribution. With the assumption that each connected subgraph denotes a unique criminal organization, we plot, in Fig. 4, (a) the number of frauds perpetrated by each group, and (b) the cumulative number of frauds perpetrated by the most active fraudsters. In Fig. 4(a), we rank criminals by the number of frauds they have been committing, and plot the number of One Click Frauds perpetrated by each group as a function of its rank. We provide data for both simple clustering (based only on phone numbers, domains, and bank accounts), as well as additional clustering (further group-

ing criminals by malware used, and identical WHOIS records). We note that the distribution seems to be following a Zipf law. Specifically, the curve representing a basic clustering fits very well with the function y = 56/x0.76 ; and y = 80/x0.90 is a good fit for the curve obtained by considering additional clustering. The match with a power law indicates both high concentration (a few people are responsible for most of the frauds), and long tail behavior (many people participate in these scams). Fig. 4(b) plots the same data as Fig. 4(a), but in a cumulative fashion. What we observe here, is that even with our conservative clustering strategy, the top 13 miscreant groups are responsible more than 50% of the fraud. Taking into account similarities exhibited by WHOIS records, and malware deployment, we observe that the top 8 groups are responsible for more than half of the frauds we have collected. At the same time, there is a large number of groups that do not seem to be involved in more than at most a couple of frauds. Including singletons, 80 out of the 112 groups we extracted using additional clustering, or about 71% of the criminals involved, appear to operate at most two sites. This number may be an overestimate, since we do not claim that we managed to establish all possible links that exist. Yet, it tends to indicate that the miscreant population is a mix of large operators, and of “artisans” running much more limited criminal enterprises.

4.3

Evidence of other illicit activities

Blacklist cbl.abuseat.org dnsbl.sorbs.net bl.spamcop.net zen.spamhaus.org

combined.njabl.org l2.apews.org aspews.ext.sorbs.net ix.dnsbl.manitu.net Google Safe Browsing (FF3, URLs) Google Safe Browsing (FF2, URLs) Google Safe Browsing (FF2, IPs)

Purpose Open proxies, Spamware Spam Spam Spam, Trojans, Open proxies Spam, Open relays Spam, Spam-friendly Spam Spam Phishing, Malware Phishing, Malware Phishing, Malware

Nr. hits 7 (2.55%) 22 (8%) 4 (1.45%) 23 (8.36%)

4 (1.45%) 90 (32.73%) 11 (4%) 4 (1.45%) 0 (0%) 0 (0%) 44 (16%)

Table 4: Presence of One Click Fraud domains in various blacklists. Next, we try to see if domains engaging in One Click Fraud are also supporting other illicit activities. Out of 1608 URLs present in our database, we extract 842 domain names. These domains resolve to 275 unique IP addresses.3 We check the 275 IP addresses against a set of eight blacklisting services that flag IP addresses known for producing large amounts of spam, and/or trojans and malware, and present our results in Table 4. While some of the domains are also used for spam, the vast majority does not appear in any database. In fact, most of the hits we see (in L2.apews.org) are coming from sites that resolve to a parked domain IP address. That is, these sites are not 3 A large number of domains, particularly those reported in 2006– 2007, are down, and do not resolve to any IP address anymore.

Cum. prop. of webs. maint’d

Nr. of websites maintained

60 50 40 30

with additional clustering basic clustering

20 10 0

20

40 60 Group rank

80

100

1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1

(a) Nr. of frauds perpetrated by each group.

basic clustering

with additional clustering

20

40 60 Number of groups

80

100

(b) Cumulative number of frauds

Figure 4: Frauds distribution over the miscreant groups. These plots exhibit considerable concentration in fraudulent activities.

active as One Click Frauds anymore, and have been reclaimed by the DNS reseller, which apparently either serves as a spam relay or has been known to be friendly to spammers. Given the results we found earlier about the concentration of frauds in some specific resellers, this outcome is not particularly surprising. We further verify this hypothesis by checking our entries against the Google Safe Browsing database for phishing and malware distributed as part of Firefox 3, updated as of July 24, 2010. None of the URLs we find in our database is listed in the Google Safe Browsing database. However, we also want to check IP addresses of the servers that host One Click Frauds against the IP addresses of the servers hosting pages listed in the Google Safe Browsing database. Recent versions of the database, such as that used in Firefox 3, only contain hashes of the blacklisted domains rather than the actual domain information, which makes it impractical to obtain IP addresses associated with the blacklisted domains. We thus turn to an older version of the Google Safe Browsing database (bundled with Firefox 2, last updated on June 29, 2008), which contains the blacklisted domains in plaintext.4 In this older database too, none of the URLs match blacklist entries, but, when comparing IP addresses of the servers that host One Click Frauds to the IP addresses of the servers in the blacklist, we see a significant (16%) number of hits. This confirms our finding that, while the websites engaging in One Click Frauds keep a relatively low profile, they are sometimes hosted on very questionable servers, which essentially turn a blind eye to what their customers are doing. A possible reason for the relatively lack of conclusive evidence that One Click Frauds sites engage in other forms of online crime will become clear in the next section, when we look at the potential profits miscreants can make. Operating a set of One Click Fraud sites is indeed quite a profitable endeavor, and we conjecture that, engaging in other forms of fraud would only have a marginal benefit to the fraudster, while increasing the risk of getting caught.

5. ECONOMIC INCENTIVES We next turn to looking into the profitability of One Click Frauds. We start by drafting a very simple economic model, before populating it with the measurements we obtained from our study. The objective is not to obtain very precise estimates of the actual profits that can be made, but mostly to dimension the incentives (or disincentives) to engage in One Click Frauds. We first determine the 4

Note that, while this blacklist is considerably older than the newer versions, it is contemporary with a large number of One Click Frauds we collected.

break-even point in the absence of potential risks for miscreants, before looking at the impact of penalties (prison, fines) on criminals’ incentives. All the numbers in this section are current as of November 2009.

5.1

Cost-benefit analysis

Costs. A miscreant interested in setting up a One Click Fraud will need a computer and Internet access. We call this startup cost, Cinit . Cinit is independent of the number of frauds carried out, but is actually dependent on time, as Internet access is usually provided as a monthly subscription service. Then, the miscreant will need to purchase a DNS name, possibly joint with a web hosting service. We will call this cost Chost . This cost, too, is time-dependent. The website has then to be populated with contents (e.g., pornographic images, dating databases), which will cost Ccont . Ccont can be a fixed price, or a periodic fee, depending on whether the miscreant is purchasing items in bulk, or as part of a syndicated service. The criminal has to set up a bank account, which should not be traceable back to its real identity. We will assume the cost of this operation to be Cbank . This is a fixed fee. Likewise, an untraceable phone number for call-back from the victim may be purchased to make the fraud more successful. We will denote the cost associated with this purchase Cphone . This fee is likely to be time-dependent; for example, the forwarding service discussed in Section 4 is a monthly subscription. Profits. Profits primarily come from money obtained through user payment Puser , conditioned by the number of users n paying the requested amount f for each incident. The number of users increases with time. Secondary profits, Presale , may be reaped from reselling databases of victims contact information to other miscreants. Utility. As we have discussed before, miscreants may actually set up several frauds, potentially reusing phone numbers and bank accounts across them. Let us denote by S, K, and B the number of frauds set up, phone numbers, and bank accounts purchased by a miscreant, respectively. We assume that identical contents is reused across all frauds operated by the same miscreant, which, based on casual observation, appears to be the case. We further assume that hosting costs are directly proportional to the number of sites operated, which is a very conservative assumption, as resellers tend to provide discounts based on the number of domains purchased. We also assume that the costs of phone and banking services are directly proportional to the number of phone lines and banking ac-

Frequency (nr. of frauds)

300 250 200 150 100 50

,0 ,0 00 0 40 1−4 ,0 0,0 01 0 45 −4 0 ,0 5,0 01 −5 00 50 0, ,0 00 01 0 −5 55 5, ,0 00 01 0 −6 75 0, ,0 00 01 0 −8 85 0, ,0 00 01 0 −9 95 0 ,0 01 ,00 0 −1 00 ,0 00

35

−3 5 01

,0 30

1,

00

1− 5,

00

0

0

Fee amount (in yen)

Figure 5: Ten most common amounts of money requested.

counts purchased. This assumption holds, because Japanese phone companies does not rely on usage-based charging for incoming calls. Cellular lines use dedicated area codes, so that the caller, in this case, the victim, pays a premium compared to the charge for calling a landline. Hence, in One Click Frauds, because miscreants only use their lines for incoming calls, they are not charged for usage. Finally, because quantifying Presale is difficult, and is likely to be small in front of the other profits, we simply consider Presale ≥ 0. Finally, we assume that each fraud has roughly the same probability of being successful, and thus, that the total number of users to fall for all frauds operated by a miscreant is simply given by multiplying S by n. With these assumptions, we obtain, for the utility (i.e., the profit or loss miscreants can expect) U , the following inequality, in absence of any risks linked to being caught: U (t) ≥

Sn(t)f − Cinit (t) −S(Chost (t) + Ccont ) − BCbank − KCphone ,(1)

where t denotes time. Clearly, the policy maker wants U < 0. If, on the other hand, U ≫ 0, there is a high incentive for people to start fraudulent operations.

5.2 Fraud profitability We next turn to dimensioning each of the parameters in Eqn. (1). We consider t = 1 year in all discussions. We plot the number of occurrences the most commonly requested amounts of money f are observed in our database in Fig. 5. The spike at 45,001-50,000 JPY (roughly USD 500) coincides with the average monthly amount of “pocket money” typical Japanese businessmen are allowed to take from the household income (45,600 JPY in 2008, [27]).5 The average, over 1,268 records in our database, stands at f = 60, 462 JPY. Next, the initial cost Cinit combines that of a computer, which the fraudster likely already possesses, and of an Internet subscription. If the miscreant does not already own a computer, a basic model, around 28,000 JPY (e.g., an Asus EeePC 900X), would be more than sufficient. Likewise, the miscreant probably already subscribes to an Internet service, but assuming they do not, a modest 5

In Japan, the wife of the household typically plays the role of “Chief Financial Officer” and dispenses monthly allowances to the husband and children.

broadband access is all that they need. As an example, in 2009, Yahoo! BroadBand provides an ADSL “8 Mbps” plan for 3,904 JPY per month [8]. We get 0 ≤ Cinit ≤ 74, 848 JPY, where the upper bound is given by assuming a fully dedicated machine and Internet connection for setting up One Click Frauds, and is obtained combining the prices of purchasing a new PC and subscribing for one year to the Internet service. We evaluate Chost using maido3.com, a domain reseller and rental server popular with fraudsters (see Section 4). The Starter Pack Plan costs 3,675 JPY for an initial setup fee; domain registration and DNS service is free; the plan requires a three months advance payment of 22,050 JPY (monthly fee is 7,350 JPY). We gathered these numbers from our email communication with maido3. com. For a one-year subscription, we obtain Chost = 91, 875 JPY. Fraudulent bank accounts can be obtained for prices going between 30,000 and 50,000 JPY [1] from the black market. As previously mentioned in Section 4, bank accounts are easily forged if created in Internet banks or banks requiring only postal mail for new contracts since there is no physical interaction during the contracting process. Also, it is relatively easy to set up fraudulent accounts by taking advantage of the Japanese writing system. Bank accounts internally use a phonetic alphabet (katakana), different from the characters used for most names and nouns (kanji). It is thus possible to create ambiguous account names. For instance, both the “Baking Club of Shirai City” and “Shiraishi Mitsuko” (a person’s name) are pronounced exactly the same, and thus would have the same account holder information. By registering as a nonprofit organization, the fraudster may easily bypass most identity checks, and subsequently set up fraudulent transfers using the individual name instead. Creating an account in this fashion would cost much lower than 50,000 JPY. We can thus confidently assume Cbank ≤ 50, 000 JPY. A phone line is required for miscreants to have the ability to further pressure and blackmail the victim to pay money. Cell phones can be illegally purchased for approximately 35,000 JPY [1,3], and can be made untraceable by paying the monthly subscription fees of 7,685 JPY/month [3] at a convenience store, or by simply using a prepaid phone. Forwarding and anonymizing services discussed in Section 4 can be purchased for only 840 JPY/month [6]. Assuming all these services are purchased for a year yields an upper bound Cphone ≤ 137, 300 JPY. We make the modestly controversial assumption that Ccont = 0. Indeed, we suspect that most of the pornographic contents presented in One Click Fraud websites is simply copied and plagiarized from other (non-fraudulent) websites, or obtained through peer-to-peer transfers. Last, our analysis of Section 4 tells us that, on average, S ≈ 3.7 domains, while B ≈ 5.2 accounts, and K ≈ 1.3 phone lines. These numbers are obtained by looking at the graph G, and dividing, the total number of domains operated (481), bank accounts (684), and phone numbers used (176), by the number of connected subgraphs we found, including singletons (131). Reusing these numbers in Eqn (1), we obtain a simple linear condition for the fraud to be economically viable, that is, for U ≥ 0, we need n ≥ 3.8 users to fall for each fraud, within one year. This means that, as long as, for each scam operated, more than four people fall for the scam within a year, the miscreant turns a profit. In other words, there is an extremely strong incentive for aspiring criminals to engage in One Click Fraud. This strong incentive is not very surprising, given the low amount of skills and equipment needed to set up One Click

Frauds. What we find more interesting is how profitable One Click Fraud appears to be.

5.3 Legal aspects The above incentive assessment ignores the probability of getting caught, and the associated penalties resulting from arrest, which we detail next. Prosecution probability. Criminals take advantage of social norms and legal loopholes to commit One Click Frauds. First, most victims do not report these crimes. Indeed, to be able to legally charge a suspect, a victim must make a formal complaint to the court. Due to the embarrassment associated with the context of the fraud, many victims do not wish to participate in the accusations that may reveal their identity. Further complicating matters, is the fact that most DNS resellers and web hosting services used, as we have observed in our measurements, are physically situated outside of Japan. The part of the fraud infrastructure hosted in Japan, i.e., the phone line and the bank account, is equally hard to use for investigation. Indeed, police cannot obtain contact and network information from telecommunication networks unless they have an actual arrest warrant. Likewise, access to banking accounts is very restricted. Thus, prosecution probability is actually very low. Penalties. In addition, sentences are relatively light. Common fraud (e.g., blackmail), in Japan, carries a sentence of up to 10 years of imprisonment. However, One Click Frauds very often do not meet the legal tests necessary for qualifying as “fraud,” as in the vast majority of cases, the victim pays up immediately, and there is no active blackmailing effort from the miscreant. One could argue that they are nothing more than a sophisticated form of panhandling. As a result, the few sentences for cases related to One Click Fraud made public [2] were rather light, with fines ranging from 300,000 JPY to 2,000,000 JPY (≈ USD 3,000 to 20,000) and prison sentences ranging from probation to 2.5 years of jail time.

Date

Location

2/2004 - 4/2005 8/2004 - 8/2005 7/2006 - 4/2007 7/2006 - 11/2007 7/2007 - 8/2008

Osaka Iwate Saitama Chiba Yamaguchi

Damages (×106 JPY) 600 28 50 300 240

Victims

Ref.

10,000+ 450+ 700+ 3,400+ 3,500+

[33] [38] [19] [37] [10]

Table 5: Press reports of One Click Fraud arrests. of unsolved cases, as well as, some potential exaggeration in the losses incurred, the profit made by miscreants in practice appears sizable. We can compare this estimate with reports gathered from the press, which we summarize in Table 5. The profits made appear to be very high, which is not overly surprising considering the number of victims involved. Recall from the previous section, that one only needs about four victims to break even. Clearly, with victim numbers in the 450–10,000 range, we can expect very significant profits, which, in Table 5 are estimated between approximately USD 28,000 and 600,000 for each group arrested. Thus, the USD 90,000 – 360,000 estimate acquired from the police reports seems to be in the right order of magnitude. Ironically, the case reported in [38] names the suspect as a famous IT writer specializing in cybercrime and appearing in multiple TV programs to warn the public of the dangers of One Click Fraud. One cannot help but think that the suspect, being very familiar with the inner working of One Click Fraud, must have reached a conclusion identical to that of the present paper, that is, that there is a significant economic advantage to engage in such frauds. We also note that these arrests were likely possible by the sheer magnitude of the fraud. A criminal confining themselves to only a few dozens victims would likely be able to make a reasonable profit, while being hard to catch.

5.4 Field measurements We next use field data provided by the Japanese police [15], and compare their findings to ours. Note that the report [15] combines numbers for One Click Frauds and related confidence scams, so the numbers in this section are much more approximate than we would wish. However, they remain a useful starting point to roughly assess the economic impact of these frauds. Number of frauds per miscreant. First, the police acknowledges 2,859 cases of frauds leading to 657 arrests. It is very unlikely that the police would inflate the number of unsolved cases in an external publication, and it thus appears that each arrested individual was responsible for an average of 4.4 frauds.6 This number is slightly higher than S = 3.7 we found earlier, but the difference is hardly surprising, as the probability of getting caught increases with the number of sites operated. Profits made. The Japanese Police estimates, on average, between 2004 and 2008, that 26 billion JPY per year were swindled in various confidence scams, prominently including One Click Frauds. Dividing by the number of 2,859 cases the police reports, we find the average income per case to be approximately 9 million JPY over a year (≈ 90,000 USD), a quite staggering number, especially considering that each arrested individual was responsible for about four cases, potentially making around 360,000 USD. While we believe that this is likely an over-estimate, due to the unpublished number 6

In Japan, arrests are usually made only when the police is certain with 99% probability or more of the suspect’s guilt. The conviction rate is thus very high.

6.

DISCUSSION AND CONCLUSIONS

This paper attempts to provide a comprehensive picture of a confidence scam used in Japan, called One Click Fraud. By gathering over 2,000 reports of incidents from vigilante websites, we were able to describe a number of potential vulnerabilities that miscreants use (lax registration checks, resellers turning a blind eye to their customers’ activities), and also showed that the market appears to be quite heavily concentrated. The top eight miscreant groups are responsible for more than half the frauds we uncovered. At the same time, a large number of individuals seem to be participating in frauds of smaller magnitude. We showed that an important reason for these scams to flourish is the strong economic incentives miscreants have. They can break even as soon as they manage to successfully scam four victims for each fraud, and, on average can make profits in the order of USD 10,000-100,000 or more per year. Prosecution is difficult, since victims are reluctant to come forward, and the penalties that can be meted are relatively light. Reforming the law to impose harsher penalties is not easy, as proving the mere existence of a crime is cumbersome. On the other hand, prevention, identification, and take-down seems more feasible. Our study shows that identifying perpetrators can greatly benefit from a bird’s eye view of the network. In our discussions with the police, we learned that different cases are usually assigned to separate officers, and that communication could be greatly improved. For instance, one officer may investigate a fraudulent phone number, while another may be investigating an online fraud. If the

phone number is used in said fraud, clearly both officers would benefit from sharing the results of their investigations. However, such holistic approaches remain relatively rare in practice. Future work. We believe that, while we tried to provide as comprehensive a study as possible, we could enrich the data we obtained by looking for connections with other forms of crime in more details. Our conclusions, thus far, are that these domains do not apparently engage in other forms of fraud, but are based on a relatively simple check of known blacklists. Studying in more details WHOIS registrations cross-listings, as well as possible connections with more “mainstream” pornographic sites could reveal further insights. Also, an article issued at the time of this writing [9] shows that One Click Fraud is now using peer-to-peer software as a propagation vector for viruses very similar to Trojan.HachiLem. While the propagation method is new, the psychological factors making such scams successful remain the same. Finding how to address these psychological traits is a promising area of research, quite related to ongoing works in security psychology [28]. We have also observed, in the police records that we eventually were not able to use, that 71 out of 359 scams reported were SMSbased. That is, One Click Frauds are also affecting mobile websites. Whether the perpetrators are the same, or different groups, remains unknown, and would warrant further investigation. Despite being focused on a very specific crime, we believe that some of the methodology we used in this paper (graph-theory based modeling, and clustering techniques, for example) could very well apply to other forms of online frauds. As mentioned in the introduction, One Click Frauds are closely related to the more general body of scareware scams, and some of the techniques we use could equally apply to analyzing scareware markets. More generally, we hope this paper will help facilitate an ambitious research agenda to gather more data from online criminal activities. An improved understanding of the economics of online crime is indeed essential in determining which policies may work to curb the problem.

7. ACKNOWLEDGMENTS This research benefited from many discussions with Kilho Shin, Jens Grossklags, and with our colleagues at Carnegie Mellon CyLab, both at CyLab Japan and in Pittsburgh. Comments from the ACM CCS anonymous reviewers, Sasha Romanosky and Alessandro Acquisti provided valuable feedback on an earlier revision of this manuscript. The Hyogo Prefecture Police was instrumental in availing to us the case data used in Section 5. Ashwini Rao and Lirida Kercelli helped with some of the DNS black-listing tests. Sachi Iwata-Christin supplied additional translation assistance.

8. REFERENCES [1] Black market yamamoto web. In Japanese. http://yamashita0721.web.fc2.com. Last accessed April 16, 2010. [2] Koguma-neko teikoku. http://www.kogumaneko.tk. [3] Manual on how to live anonymously. In Japanese. http: //homepage3.nifty.com/nonu/tokumei1.html. Last accessed April 16, 2010. [4] MeCab: Yet another part-of-speech and morphological analyzer. http://mecab.sourceforge.net. [5] Ni-channeru (Channel two). http://www.2ch.net. [6] Symphonet Services. http://symphonet.co.jp. [7] Wan-cli zukan. http://zukan.269g.net/. [8] Yahoo! BB ADSL. http://bbpromo.yahoo.co.jp/adsl/type2/. Last accessed Apr. 16, 2010.

[9] BBC News. Porn virus publishes web history of victims on the net. Apr. 15, 2010. http://news.bbc.co.uk/2/ hi/technology/8622665.stm. Last accessed Apr. 16, 2010. [10] Chugoku Shimbun. Arrested for One Click Fraud. August 16, 2008. http://www.chugoku-np.co.jp/News/ Tn200808160061.html. Last accessed Nov. 21, 2009. [11] P. Eckersley. How unique is your web browser? In Proc. PETS’10, Berlin, Germany, July 2010. [12] J. Franklin, V. Paxson, A. Perrig, and S. Savage. An inquiry into the nature and causes of the wealth of Internet miscreants. In Proc. ACM CCS’07, pages 375–388, Alexandria, VA, Oct. 2007. [13] C. Grier, K. Thomas, V. Paxson, and M. Zhang. @spam: The underground in 140 characters or less. In Proc. ACM CCS’10, Chicago, IL, Oct. 2010. To appear. [14] C. Herley and D. Florêncio. Nobody sells gold for the price of silver: Dishonesty, uncertainty and the underground economy. In Proc. (online) WEIS’09, June 2009. [15] Japan National Police Agency. Incident report and monetary damages of direct deposit frauds, 2009. Archived at http://megalodon.jp/2010-0223-1659-40/ www.npa.go.jp/safetylife/seianki31/1_ hurikome.files/Page386.htm. Last accessed April 16, 2010. In Japanese. [16] Japanese Information Technology Promotion Agency. Virus detection reports, Oct. 2009. In Japanese. http://www.ipa.go.jp/security/txt/2009/ 10outline.html. Last accessed April 20, 1010. [17] C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and S. Savage. Spamalytics: An empirical analysis of spam marketing conversion. In Proc. ACM CCS’08, pages 3–14, Alexandria, VA, Oct. 2008. [18] N. Kato and T. Kawabata. The advance of the fraudulent business scheme through the it and the legal measures of specified business transaction. In Proc. AIEEJ Media Computing Conference, 2007. In Japanese. Abstract available at http://www.jstage.jst.go.jp/ browse/aiieej/35/0/_contents/-char/ja/. Last accessed April 10, 2010. [19] Mainichi Shimbun. Fraud: Suspect arrested again for requiring a registration fee for unauthorized access. March 4, 2007. http://blog.goo.ne.jp/alladult/e/ 4a53e012de3c0335a838d99161e9d8bc. Last accessed April 16, 2010. [20] Ministry of Justice, Japan. Act on special provisions to the civil code concerning electronic consumer contracts and electronic acceptance notice. English translation at http://www.japaneselawtranslation.go.jp/ law/detail/?yo=&ft=2re=01&ky=&page=3. Last accessed April 10, 2010. [21] T. Moore and R. Clayton. Examining the impact of website take-down on phishing. In Proc. APWG eCrime’07, pages 1–13, Pittsburgh, PA, Oct. 2007. [22] T. Moore and R. Clayton. Evil searching: Compromise and recompromise of Internet hosts for phishing. In Proc. Financial Crypto’09, pages 256–272, Barbados, Feb. 2009. [23] T. Moore, R. Clayton, and R. Anderson. The economics of online crime. J. Econ. Persp., 23(3):3–20, Summer 2009. [24] T. Moore, R. Clayton, and H. Stern. Temporal correlations between spam and phishing websites. In Proc. USENIX LEET ’09, Boston, MA, April 2009.

[25] T. Moore and B. Edelman. Measuring the perpetrators and funders of typosquatting. In Proc. Financial Crypto’10, Canary Islands, Spain, Jan. 2010. [26] N. Provos, P. Mavrommatis, M. Rajab, and F. Monrose. All your iFrames point to us. In Proc. USENIX Security’08, San Jose, CA. Aug. 2008. [27] Shinsei Financial. Japanese businessmen monthly allowance, 2009. In Japanese. http://www.shinseifinancial. co.jp/aboutus/questionnaire/kozukai2009/. Last accessed April 16, 2010. [28] F. Stajano and P. Wilson. Understanding scam victims: Seven principles for systems security. Tech. Rep. UCAM-CL-TR-754, Cambridge U., Aug. 2009. To appear in Comm. ACM. [29] B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna. Your botnet is my botnet: analysis of a botnet takeover. In Proc. ACM CCS’09, pages 635–647, Chicago, IL, Oct. 2009. [30] P. Swire. No Cop on the Beat: Underenforcement in E-Commerce and Cybercrime. J. Telecom. and High Tech. Law, 7(1):107–126, Winter 2009. [31] R. Thomas and J. Martin. The underground economy: Priceless. ;login:, 31(6):7–16, Dec. 2006. [32] Tokyo Metropolitan Police Association. Stop frivolous billing requests! In Japanese. http://www.anzen. metro.tokyo.jp/net/attention.html. Last accessed April 15, 2010.

[33] Tokyo Shimbun. First arrest for One Click Fraud. In Japanese. April 13, 2005. http://www6.big.or.jp/ ~beyond/akutoku/news/2005/0413-10.html. Last accessed April 16, 2010. [34] Toyo Keizai Inc. Quarterly Corporate Report Sector Map 2010. 2009. [35] Webhosting.Info. Largest ICANN registrars, Nov. 2009. http://www.webhosting.info/registrars/ top-registrars/global/. [36] G. Wondracek, T. Holz, C. Platzer, E. Kirda, and C. Kruegel. Is the Internet for porn? An insight into the online adult industry. In Proc. (online) WEIS’10, Cambridge, MA, June 2010. [37] Yomiuri Shimbun. Company president arrested for two click fraud. November 28, 2007. http://www.yomiuri.co. jp/net/security/s-news/20071128nt0c.htm. Last accessed April 16, 2010. [38] Yomiuri Shimbun. IT writer arrested. November 8, 2005. http://www.yomiuri.co.jp/net/news/ 20051108nt03.htm. Last accessed April 16, 2010. [39] J. Zhuge, T. Holz, C. Song, J. Guo, X. Han, and W. Zou. Studying malicious websites and the underground economy on the Chinese web. In Proc. (online) WEIS’08, Hanover, NH, June 2008.