Dissecting One Click Frauds

Dissecting One Click Frauds∗
Nicolas Christin
Sally S. Yanagihara
Keisuke Kamataki
Carnegie Mellon INI/CyLab
Carnegie Mellon INI
Carnegie Mellon LTI/CS
[email protected]
[email protected]
[email protected]
ABSTRACT
1.
“One Click Fraud” is an online confidence scam that has been
plaguing an increasing number of Japanese Internet users, in spite
of new laws and the mobilization of police task forces. In this scam,
the victim clicks on a link presented to them, only to be informed
that they just entered a binding contract and are required to pay
a registration fee for a service. Even though no money is legally
owed, a large number of users prefer to pay up, because of potential embarrassment due to the type of service “requested” (e.g.,
pornographic goods).
Using public reports of fraudulent websites as a source of data,
we analyze over 2,000 reported One Click Frauds incidents. By
correlating several attributes (WHOIS data, bank accounts, phone
numbers, malware installed...), we discover that a few fraudsters
are seemingly responsible for a majority of the scams, and evidence
a number of loopholes these miscreants exploit. We further show
that, while some of these sites may also be engaging in other illicit activities such as spamming, the connection between different
types of scams is not as obvious as we initially expected. Last, we
show that the rise in the number of these frauds is fueled by high
expected monetary gains in return for very little risk. The quantitative data obtained gives us an interesting window on the economic
dynamics of some online criminal syndicates.
In the family apartment in Tokyo, Ken is sitting at his computer,
casually browsing the free section of a mildly erotic website. Suddenly, a window pops up, telling him,
Categories and Subject Descriptors
K.4.1 [Public Policy Issues]: Abuse and crime involving computers
General Terms
Measurement, Security, Economics
Keywords
Online crime, web frauds
∗This research was partially supported by CyLab at Carnegie Mellon under grant DAAD19-02-1-0389 from the Army Research Office, and by the National Science Foundation under ITR award
CCF-0424422 (TRUST).
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. To copy otherwise, to
republish, to post on servers or to redistribute to lists, requires prior specific
permission and/or a fee.
CCS’10, October 4–8, 2010, Chicago, Illinois, USA.
Copyright 2010 ACM 978-1-4503-0244-9/10/10 ...$10.00.
INTRODUCTION
Thank you for your patronage! You successfully registered for our premium online services, at an incredible price of 50,000 JPY.1 Please promptly send your
payment by bank transfer to ABC Ltd at Ginko Bank,
Account 1234567. Questions? Please contact us at
080-1234-1234.
Your IP address is 10.1.2.3, you run Firefox 3.5 over
Windows XP, and you are connecting from Tokyo.
Failure to send your payment promptly will force us
to mail you a postcard reminder to your home address.
Customers refusing to pay will be prosecuted to the
fullest extent of the law.
Once again, thank you for your patronage!
A sample postcard reminder is shown on the screen, and consists
of a scantily clad woman in a provocative pose. Ken has a sudden panic attack: He is married, and, if his wife were to find out
about his browsing habits, his marriage would be in trouble, possibly ending in divorce, and public shame. In his frenzied state of
mind, Ken also fears that, if anybody at his company heard about
this, he could lose his job. Obviously, those website operators know
who he is and where he lives, and could make his life very difficult.
Now, 50,000 JPY (≈ USD 500) seems like a small price to pay to
make all of this go away. Ken immediately jots down the contact
information, goes to the nearest bank, and acquits himself of his
supposed debt.
Ken has just been the victim of a relatively common online scam
perpetrated in Japan, called “One Click Fraud.” In this fraud, the
“customer,” i.e., the victim, does not enter any legally binding agreement, and the perpetrators only have marginal information about
the client that connected to their website (IP address, User-Agent
string), which does not reveal much about the user.2 However, facing a display of authority stressed by the language used, including the notion that they are monitored, and a sense of shame from
browsing sites with questionable contents, most victims do not realize they are part of an extortion scam. Some victims even call
up the phone numbers provided in hopes of resolving the situation,
1
Over the past five years, on average, 100 JPY≈ 1 USD.
The Panopticlick project [11] aims to show that browser fingerprints can divulge considerable information about the user. However, none of the One Click Fraud websites we investigated appears
to use any advanced browser fingerprinting techniques.
2
This is the author's version of the work. The original paper can be
found in the ACM digital library: http://doi.acm.org/10.1145/1866307.1866310
and disclose private information, such as name or address, to their
tormentors, which makes them even more vulnerable to blackmail.
As a result, One Click Frauds have been very successful in Japan.
Annual police reports show that the estimated amount of monetary damages stemming from One Click Frauds and related confidence scams are roughly 26 billion JPY per year (i.e., USD 260
million/year). The rapid rise of such frauds has led to new laws being passed [18, 20], to the deployment of police task forces specifically put in charge of solving these frauds, and to specialized help
desks [16]. In addition, there have been so far, on average 657 arrests and 2,859 solved cases per year [15]. Considering the lack of
technical sophistication needed to set up such extortion schemes,
and the fact that bank accounts and phone numbers can be made
very hard to trace in Japan (discussed in Section 5), it appears that
One Click Frauds offer easy money to aspiring criminals.
From a research point of view, One Click Frauds offer a unique
opportunity for a case study in online crime economics. First, One
Click Frauds, are extremely localized. We have not seen any instance of this specific fraud outside of Japan, presumably due to the
fact that the scammers prey on unique Japanese cultural characteristics, such as respect of authority, or embarrassment at the idea of
causing trouble. Rather than limiting our research, we view this local aspect as an opportunity. Indeed, because One Click Frauds are
contained to Japan, and are almost exclusively used in Japaneselanguage websites, we can obtain a relatively exhaustive view of
how these frauds are deployed and the characteristics they share,
without the need for a complex measurement infrastructure. Furthermore, One Click Frauds, albeit unique, are very closely related
to the body of scareware scams (e.g., windows popping up trying
to entice users to buy fake anti-virus software) that are becoming
increasingly pervasive, and we believe One Click Frauds offer an
interesting insights into this type of criminal enterprise.
The first contribution of this paper is to collect and analyze a
corpus of over 2,000 reported One Click Fraud incidents, and to use
the data collected to paint a relatively clear picture of the economic
dynamics of an instance of online criminal activity.
Specifically, we set out to answer the following questions: Who
is committing these frauds? Are One Click Frauds the product of
organized criminal activities, or are they more artisanal in nature,
with many aspiring crooks trying their luck? How much do criminals stand to gain? Are there vulnerabilities in the network infrastructure (e.g., weak registration processes, easy access to compromised accounts, etc...) that are easily exploited by the miscreants?
In the process of finding answers to these questions, a second important contribution of our paper is to provide monetary amounts,
which help dimension the size of the One Click Fraud market, and
the profits potentially made. While economic modeling of cybercrime has been an increasingly active research topic (see for instance [12,17,23,25,36]), we believe that obtaining additional measurements and clearly detailing the methodology we employ should
help enrich our knowledge of how online criminal syndicates operate, while assuaging concerns on the validity of the estimates formulated [14]. Furthermore, some of the measurement methodology we employ is likely to be applicable beyond the context of One
Click Frauds.
Moreover, our analysis methodology can be helpful to law enforcement agencies. Law enforcement typically assigns different
fraud instances to specific agents, who mostly operate independently of each other. However, we show that, by analyzing a relatively large dataset of frauds, we can extract characteristics that
are not visible when considering smaller subsets of these frauds.
These characteristics can in turn be useful to law enforcement in
identifying, and perhaps prosecuting, the miscreants behind these
crimes [30].
The rest of this paper is organized as follows. We review the
related work in Section 2. We then explain our data collection
methodology in Section 3. We turn to analyzing the data collected
in Section 4. We use this analysis to study economic incentives for
the perpetrators in Section 5, before discussing the implications of
our study, and drawing brief conclusions in Section 6.
2.
RELATED WORK
Moore et al. contend that online crime has become economically
significant since around 2004 [23]. Hence, research in measuring
the economic impact of online crime is a relatively recent field, but
a number of papers on the topic have been published in the past
couple of years. We present several important advances in the field
in this section, and refer the reader to Moore et al. [23] for a more
exhaustive treatment of the literature.
Some of the pioneering work in the field has tried to quantify
the value of fraudulent financial credentials as well as that of compromised hosts (“bots”), through passive observations. In particular, Thomas and Martin [31], and Franklin et al. [12] monitor IRC
channels where miscreants attempt to sell commodities as diverse
as stolen credit card numbers, bank account credentials, or email
databases for spam, to obtain estimates of the value of these items
as well as the volumes of the market associated with exchanges of
such goods.
Along the same lines, Zhuge et al. [39] describe how criminals
operate in Chinese underground markets, and provide some insight
regarding some of the goods exchanged in these markets by monitoring web forums where such items are advertised; a particularly
popular item appears to be forged or stolen online video game currency.
Passive monitoring, as discussed above, has been criticized for
only measuring advertised prices, as opposed to actual realized
sales [14]. A more recent line of research addresses this concern
by actively participating in the online exchanges, by essentially
“hijacking” some of the infrastructure used by miscreants. Kanich
et al. [17] infiltrate a large botnet, and modify some of the spam
traffic generated by the botnet to redirect purchases to a server under their control, thereby acquiring data on spam conversion rates.
The key insight is that 350 million spam messages sent resulted in
28 sales. In other words, Kanich et al. measure very low conversion rates in their experiment. But, considering the cost of spam
is negligible, and that bots can be used to generate other forms of
profit (e.g., phishing site hosting), spam remains a relatively popular form of crime. Furthermore, a study of spam on the Twitter
social networking site [13] shows considerably higher click rates
(0.13%) than previously observed in email spam, which illustrates
that spam remains economically relevant. Other relevant measurement studies include a botnet take-over described in Stone-Gross et
al. [29], who monitor the type of services supported by the Torpig
botnet. In a similar vein, Wondracek et al. [36] focus on the economics of the distribution of pornographic materials, by covertly
operating an adult web server.
Perhaps closer in spirit to the methodology we employ in this paper, a significant body of literature [21, 22, 24] is devoted to quantifying the economic impact of phishing scams, as well as the modus
operandi of the attackers. One of the main outcomes of this line
of research is to evidence that a large proportion of phishing activities are carried out by a modest number of phishing gangs, who
use relatively sophisticated “fast-flux” techniques, where phishing
sites are used as disposable commodities hosted on compromised
hosts. This body of research puts the number of phishing web-
sites at around 116,000. Likewise, Moore and Edelman [25] gather
a large corpus of data on typosquatting domains, to quantify the
economic value of such sites, as well as potential disincentives for
advertisement networks to intervene forcefully. Finally, Provos et
al. [26] provide a comprehensive overview of web-based malware
distribution, showing that there are in excess of 3 million web pages
attempting to infect their visitors.
The work we present here is complementary to the existing literature. To our knowledge, this is the first time One Click Frauds are
analyzed from a quantitative and technical perspective. (Research
on the legal ramifications and countermeasures, on the other hand,
has been active [18].) More generally, we focus on a relatively
contained instance of a scam, and attempt to gather both economic
data (potential revenue, deployment costs to the perpetrators...) and
structural data (number of players, relationships between players,
...) through a systematic measurement methodology, which we believe can be useful beyond the study of this specific fraud.
blog, where the website owner periodically posts notifications in a
fixed format. Outsiders cannot directly post to the site.
Parsing the data from Wan-Cli Zukan and Koguma-neko Teikoku
is straightforward, as both sites use a predetermined format for all
posts relevant to One Click Frauds. Likewise, the data is of high
quality. Randomly sampling the reported sites, we did not find a
single instance of slander – i.e., benign sites which would be reported as fraudulent. Either the sites reported were, indeed, hosting
One Click Frauds, or they had been recently taken down.
3. DATA COLLECTION
To find instances of One Click Frauds, we rely on public forums
which report fraud incidents, along with details regarding the website being used, the amount of money extorted, as well as fraudster
contact information (bank account number, phone number, ...). We
collect data from three public forums:
2 Channel BBS [5]: The largest bulletin board in Japan, which provides discussion threads on various topics ranging from Japanese
anime to sports. Several ongoing threads are dedicated to exposing
One Click Frauds.
Koguma-neko Teikoku [2]: Privately owned website providing
help to solve consumer problems related to online activities. A section of the site is devoted to describing One Click Frauds, including
information about scam incidents.
Wan-Cli Zukan [7]: Privately owned website solely devoted to
exposing websites partaking in One Click Frauds.
Collection methodology. We gather data posted on the three websites we polled over a period of roughly three years (2006-2009).
Specifically, we collect 2 Channel posts made between March 6,
2006 and October 26, 2009, Koguma-neko Teikoku posts made between August 24, 2006 and August 14, 2009, and Wan-Cli Zukan
posts made between September 6, 2006 and October 26, 2009. All
in all, we gathered 2,140 incident reports. Collection of this data
took place between May and November 2009. While it is difficult
to determine how exhaustive our data collection is compared to the
total number of frauds perpetrated, we note that there is a significant overlap in the data provided by all three sites, which indicates
we probably captured the most successful frauds, and that our coverage is likely adequate.
Initially, we also tried to extract information from data provided
by the Japanese police [32]. Unfortunately, these reports are in image format, and do not contain much actionable information, even
after using optical character recognition. Indeed, most of the interesting details (e.g., bank account used) are often not divulged.
Data parsing. The three sites present marked differences. 2 Channel is based on anonymous postings from various users who have
encountered a One Click Fraud website and post notifications to
other users. Due to its popularity and large user base, 2 Channel contains a wealth of information. However, because 2 Channel threads are essentially an open discussion, parsing the data
for useful input is challenging. Koguma-neko Teikoku is also a
collaborative web space, but, different from 2 Channel, Kogumaneko Teikoku requires posters to input information about One Click
Frauds in a specified format. Finally, Wan-Cli Zukan is closer to a
Figure 1: Example of 2 Channel posting. The lack of structure
makes parsing slightly complex. Here, usable information is
only contained in the squared area; oftentimes, formatting is
even more haphazard.
On the other hand, 2 Channel is considerably more challenging to use. An example of 2 Channel posting is shown in Fig. 1.
Since the data is not formatted according to a specific standard, we
have to perform some basic text segmentation. Adding to the difficulty, is the fact that the Japanese language does not have a rich set
of punctuation rules. For instance, words are rarely separated by
spaces, there is no capitalization, and most characters have a couple of different readings depending on the context. Furthermore,
in forums like 2 Channel, specialized slang and abbreviations are
the norm, rather than the exception. To perform text extraction,
we use the MeCab parser and data analyzer [4]. MeCab extracts
Japanese characters into semantic units. This allows us to obtain a
list of tokens, such as “ginko” (bank), “Sumitomo” (name), “hutsuu” (usual), “1234567.” We can then perform context-dependent
parsing. The previous series of token tells us that it is highly likely
that the poster talks about a “usual” checking account number 1234567
at Sumitomo bank.
Despite the added difficulty of parsing 2 Channel threads, we did
not encounter any erroneous or libelous postings. While a certain
level of verbal abuse is present in such an unmoderated forum, it is
easily separated from relevant information, once text segmentation
is performed.
Extracted attributes. For all three sources of data, after having
parsed and cleaned the input, we extract the following attributes:
URL of the fraudulent website; Bank account number given by
the fraudster for remittance of funds; Bank name; Branch name;
Account holder name; Contact phone number; Registration fee requested (i.e., amount of the fraud).
Some of these attributes (e.g., account holder name) are probably
fake. However, for the fraudsters to be able to receive money, the
financial information has to be genuine. Likewise, contact informa-
Data source
2 Channel
N.
1077
Unambiguous, w/ URL
Unambiguous, w/o URL
Ambiguous, w/ URL
Ambiguous, w/o URL
records
Registrar
353
174
218
332
Go Daddy
ENom
Tucows
Network
Solutions
Schlund
+Partners
Melbourne IT
Wild West
Domains
Moniker
Register.com
Public Domain
Registry
372
Koguma-neko
Unambiguous, w/ URL
Ambiguous, w/ URL
Ambiguous, w/o URL
2
362
8
691
Wan-Cli Zukan
Unambiguous, w/ URL
Unambiguous, w/o URL
632
59
Table 1: Number of extracted fraud incidents from each source.
tion (email and phone numbers), when present, is usually accurate,
as miscreants provide the victims with a way of “calling back” to
further their social engineering attacks.
Table 1 describes the number of fraud incidents that we extracted
from each of the three sources of data. Note that, these sources
are not mutually exclusive. In fact, we have significant overlap
between the different sources.
Second, the raw data that we extract needs to be cleaned up
significantly. A number of records are incomplete to some extent (missing phone number for example); out of these incomplete
records, particularly problematic are records that do not contain a
URL field, as the existence of a fraud cannot be verified. In addition, a number of records are ambiguous in that some fields have
more than one entry. For instance, a given post may contain one
URL but several phone numbers. Most of these records need to be
scrutinized manually, to check whether parsing was done correctly
and whether the record indeed contains several fields.
All results are stored in a MySQL database. We illustrate a typical entry in our database in Table 2. To help make our experiments reproducible, we make a copy of a dump of our database
available (in gzip’ed form) at http://arima.ini.cmu.edu/
public/oneclick.sql.gz.
After having cleaned up our original dataset, we use the extracted
URL to infer the domain hosting the fraud, and, whenever possible, to obtain registrar (“WHOIS”) information. We also periodically download the corresponding website (using wget in recursive mode) to check for potential changes indicating a take-down,
and to check for the presence of malware on the fraudulent site.
Note that, due to the time interval (three years) over which incident reports we collect were reported, a significant amount of data
points to sites that have long been taken down. Thus, a number of
records are hard to verify and may be missing information. For example, we have a smaller number of entries with valid DNS domain
information, compared to the number of incidents reported.
4. DATA ANALYSIS
We next turn to analyzing the relatively large corpus of One
Click Frauds we gathered. Specifically, we seek loopholes in the
infrastructure that attackers are able to exploit. We then try to assess some of the characteristics of the online criminal market behind One Click Frauds, and in particular, investigate whether some
miscreants are responsible for several frauds. Last, we try to determine whether fraudsters engage in other illicit activities beyond
One Click Fraud.
Market
share [35]
29.08%
8.30%
6.82%
6.06%
4.38%
4.34%
2.89%
2.43%
2.40%
2.17%
Registrar
ENom
GMO Internet
Above
Go Daddy
Tucows
Key Systems
New Dream
Network
Abdomainations
All Earth
Domains
Dotster
Moniker
OTHER
Prop.
of frauds
47.56%
17.48%
5.14%
4.11%
3.34%
2.83%
1.54%
1.29%
1.03%
1.03%
1.03%
13.62%
Table 3: Registrars used in One Click Frauds. The left table
shows the market share of the 10 most popular registrars (and
thus does not sum to 100%). The right table shows the 11 most
frequently used registrars in One Click Frauds, along with the
respective proportion of frauds they host. Numbers are obtained out of the 389 fraudulent domains for which WHOIS
information was accessible.
4.1
Infrastructural loopholes
We start by checking our data corpus for evidence of repeating
patterns in the attributes we collected. The idea is that, departures from usual patterns may indicate evidence of vulnerabilities
in the infrastructure. If, for instance, a disproportionate number of
frauds uses bank accounts at Bank X, one can reasonably infer that
Bank X processes for identity verification and account establishment are flawed.
We first consider the phone numbers used by fraudsters. We are
able to identify the phone number used for callback in 516 separate
incidents. We check the phone numbers in our database against the
phone number ownership list published by the Japanese Ministry
of Internal Affairs and Communications. We find that 38.6% of
the phone numbers used in One Click Frauds are au cellular lines,
23.3% are Softbank cellular lines, and 16.5% are local landlines for
the Tokyo area. A 2009 report about the Japanese cellular phone
market [34, pp. 78–79], tells us that au has about 25% of the market
share, while NTT Docomo represents about 50% of the market.
So, it appears that au cellular lines are significantly targeted by
fraudsters. Whether this is due to lax registration practices, or to
easier access to compromised lines, is unclear. The large proportion
of Tokyo numbers may be explained not only by the amount of
population in that area, but also by the fact that most forwarding
services, which redirect all incoming calls to a different number
while preserving the anonymity of the callee, use Tokyo numbers.
Next, we identify the bank used in 803 separate incidents. We
observe that online banks tend to be slightly more represented in
these frauds than their actual market share should warrant. For example, 116 frauds (14.44%) use the online Seven Bank. On the
other hand, this bank does not have as significant a market share in
Japan [34, pp. 82–83]. eBank and JapanNet Bank are two other examples of online banks used at a notable level (around 3%) in One
Click Frauds, while holding only a small market share. A possible
explanation is that online banks do not require a physical interaction to let individuals open an account, and are thus potentially
more prone to abusive registrations.
ID
370
Branch
Koenji
Date posted
2007-02-03 00:00:00
Acct. Type
Checking
URL
http://www.331164.com/
Acct. Number
7184701
IP
69.64.155.122
Acct. Holder
Takahashi, Mizuki
Email
[email protected]
Phone #
080-5182-7956
Bank
Sumitomo Mitsui
Fee
JPY 88,000
Table 2: Example of database entry. Note that not all attributes can always be extracted.
40
do
3.
co
m
n.
co
m
ai
om
an
.co
m
80
co
de
.co
m
sponse with invoicing details. A simple money transfer was all that
was needed; and this could be performed anonymously by using
cash at a convenience store. The reseller promised the site would
be up within 30 minutes of the payment being sent. No identity
checks were ever performed. In other words, this specific reseller
appeared to be easy to abuse for fraudulent activities. While we
have not attempted the same type of test with the other “popular”
resellers, we venture to guess that their registration processes are
likely easily abused as well.
lli
tre
−p
as
ix
ed
m
ed
ia
m
.n
et
ho
s t.
co
m
sm
dn
ov
sv
x.
ie
jp
.c
5
fre
e
10
m
15
dr
ea
20
ue
−d
om
25
ai
m
30
va
l
Number of websites hosted
35
0
Figure 2: Number of websites hosted by the resellers used in
more than one incident.
We observe even more interesting patterns, when we look at
DNS registrars and resellers that are abused by fraudsters. Table 3
compares the market share, as of Nov. 2009, of the top domain
name registrars [35] with the proportion of registrars used by domain names participating in One Click Frauds. We are able to identify the registrars used in 389 incidents. We note that ENom is apparently much more victim of abuse than other top domain name
registrars. Likewise, Above and GMO Internet rank highly with
fraudsters, while not having significant market share. This result
can indicate one of two possibilities: Either these registrars have
very lenient registration policies, or they entrust some of their domains to resellers that are not perfectly scrupulous.
To find out which domain name resellers are used, we examine
the DNS field in the WHOIS record associated with the domain
used in each One Click Fraud. A large number of sites we investigate have been taken down (particularly those obtained from 20062007 sources). In some cases, though, the One Click Fraud sites
have been replaced by domain parking pages, and thus still have
valid WHOIS information, which may reveal information on the
reseller used. Another large number of sites use either their own
DNS server, or free DNS services like opendns.com, and are
thus discarded from analysis. We complement investigation of the
WHOIS DNS fields with a simple reverse DNS/DNS lookup script.
For instance: dig +short admovie69.com | xargs dig +short -x
yields ikero.dreamhost.com, which tells us the web hosting
service is dreamhost.com.
We eventually manage to identify the resellers in 97 incidents.
In Figure 2, we graph the number of at resellers that are used in
more than one incident. We note that, for our successful lookups,
a couple of resellers (maido3.com, value-domain.com, ...)
appear to be highly represented. They tend to be cheap resellers,
with lax, or absent registration checks.
Specifically, we investigated further maido3.com. We used
a disposable email address to request rental of a specific domain
name and server space. We used a fake name, address and phone
number, which could have been easily spotted, as the address was
that of a famous subway station. We received an immediate re-
4.2
Grouping miscreants
We next attempt to determine whether we can find evidence of
organized criminal activities through miscreant behavior. In this
paper, we qualify by “organized criminal activity” large scale operations involving many frauds, using a considerable number of bank
accounts and stolen or abused phone lines, and possibly coordinating with other organizations to deploy malware or share stolen
information. We contrast such large scale operations with those
involving only a couple of sites.
Methodology. We define an undirected graph G = (V, E) as follows. We create a vertex v ∈ V for each domain name, bank
account number, or phone number our database contains. Then, we
connect vertices belonging to the same fraud with edges E. For
instance, if our database contains an entry for a fraud hosted on
example.com, with bank account number 1234567 and phone
number 080-1234-1234, we add (v1 , v2 , v3 ) = { example.com,
1234567, 080−1234−1234} to V , and three edges (e1 , e2 , e3 ) =
{v1 ↔ v2 , v1 ↔ v3 , v2 ↔ v3 } to E. Note that, by building the
graph G in this fashion, two nodes of the same type (domain name,
bank account number, phone number) never link directly to each
other, but can be connected through an intermediary. For example,
two websites using the same phone number result in a connected
path between the three concerned nodes. One natural question is
why we chose not to link two different domain names pointing
to the same IP address. The reason is, that we realized that this
happened sometimes for sites that were markedly different, only
because they were co-hosted on the same machine by a common
reseller. In other words, both incidents shared the same web hosting provider, but were not related otherwise. We decided to err on
the side of caution, and not to consider identical IP addresses as a
strong indicator of identical ownership.
Parsing the entire database yields a graph with 1,341 nodes and
5,296 edges. We first isolate 26 “singletons” representing connected subgraphs containing at most three nodes, and at most one
domain name, one phone number and one bank account. These
singletons represent incidents that we cannot connect to any other
fraud. All “one-off” scams fall in this category. Excluding the 26
singletons, the whole graph G contains 105 connected subgraphs
(“clusters”), with sizes ranging from a couple of nodes and edges
to a large cluster containing 179 nodes (56 domains, 112 bank accounts, 11 phone numbers), and 696 edges.
We plot the graph G in Fig. 3. While the specific domain names,
phone numbers, and bank account numbers are not readable at this
scale, we can clearly distinguish the connected subgraphs, which
angel−blog.jp
franky−tube.com
0352183
0414092
441583
0331261
cutieluv.net
08011594469
0363802956
0225110
7160136
5329658
1619457
himawari−blog.com
0792520388
1641074
hanabi−don.com
bukkakex.net
todaysmovie.sakura.ne.jp
todaysmovie.net
1470805
8860037
0386661
1078564
0358519965
moon−a.com
8842125
a−milk.net
09091503831
1953945
5317013
1657050
nip−go.net
ad−hole.com
1209448
bubble−gum.jp
6311731
0894719
jannie.jp
2037698
1611762
204246
357089
little−ag.com
3956232
beguru.jp
7595857
1351803
subi−ing.com
juku−juku.com
movie−love.com
sexy2.jp
1340013
374480
cha−nel.jp
0358519962
0332860
bubuko.jp
tirallin.com
1637788
alsoira−p.com
1391139
a−file.net
5333906
a−vivi.net
coro56.com
5092915
1494273
3156739
0120555061
tv−adult.net
meron−pan.com
1194160
pyuride.com
4099066
347670
avclinic.net
1638224
7019885
best−mov.com
cinderella−movie.com
nurenuremanko.com
0351715
3779326
1999395
idol−douga.jp
3161820
4041614
hateblog.jp
346902
08031241652
1675648
216072
08065323977
mermaid−haisin.com
7810164
adult−collection09.net
1078676
08011659432
0330248
info.net
1426302
0358519964
0358519961
09088123505
5329569
341687
4044113
1418160
0157663
0120540940
4032599
grin−2.com
0349541
7696035
adult−dream.net
5328716
cheezu.net
0340035
gal−star.com
370195
adult−player.net
nasubi−ing.com
1219556
5092923
1633117
peppar.jp
aitaiyo.jp
1637730
9061683
paradise−fish.com
bettyser.com
5092702
376896
08053424771
340276
1164647
0332144
cherry−move.com
0346902
frury.com
masa−mune.com
280138
428410
2425448
08034984656
3099458
0208028
love−gal.com
375644
puni−2.com
e−sweets.jp
5329542
love−aware.com
0588566
yamato71045.com
mmbga.jp
08065257334
nyaa−nyaa.com
merumon.com
1012826
7716465
lovechop.net
value−engineer.com
0423842
8696942
1518850
210943
5379464
adult2.net
0339501
slim−slim.jp
1487263
imazin.net
1010447
1651498
1865756
1950977
3441540
1759710
5340708
0360423
0358199234
05055330214
1083439
4084239
h−−ko.com
4539234
09017051122
08066575324
1185845
utubu.net
moe−moe.cc
whitelover.net
08066189305
0388841
itigo15.jp
5093385
3566662
0232729
0353528
cherry−love.net
douganews.jp
entameblog−seasea.net
8453987
09035485924
5336328
4073881
3375458
0359850337
0384968
312788
5543841
1391210
eroscamp.com
tendencys.com
722297
08066246703
qq−o−pp.com
389841
3175577
0120964819
0388018
malilin.net
cross−road.info
294566
qqqja.com
3011261
340312
entainfo.com
nixy.jp
0280138
0314398
382437
1125163
08035251179
6311758
free−dom1.tv
08033857316
1439051
6320366
1640981
343691
2688261
0120948843
0350164
cross−mode.net
11066531
ero−para.net
0388369
3271716
0354160
5333884
5095507
banana−gal.net
0475367
baxxyy.com
0465175
344238
5333281
0418224
0589849
prinprin.net
5096597
241683
global−hotline.org
08032515119
5091951
0325032
0333212
235900
0359389
club−cc.com
7630009
0372671
1670973
anything−c.com
08053422904
makkey−k.com
hi−quality.net
0383644
1998870
08061313149
bi−tiku.com
5421018501
8140429
chocoblo.com
0344784
7222297
tikantitai.com
08056979249
1806363
4746756
08012452071
0388902
1482222
6618793
movie−pie333.com
08061313142
0001963
entarou.com
2063510
smile2007.jp
1641759
0251320
08034984657
1406720
4538271
entameparadise.com
1740643
5328724
fresh−tube.net
1644890
8476199
0624983
0209571
08035910928
5339815
5262219
eroerolove.com
0388570
3969268
0340004
09099538764
nurevideo.com
oreoreo.net
0387134
moco−2.com
5319725
371234
sexy−pororin.com
4032244
muchihip.com
0326316
1998098
0387133
3079568
0014313
hamepara.com
4093947
anahime.info
1090428
08038207711
1051811
5335194
5333892
0329405
5332951
08054299771
adult−princess.com
0354038
ss−class.com
campus−love.jp
nukimedo.net
6649945
5046551
0661853000
2172159
3855981
5319717
09093671734
hanabi−after.com
6338532
1455876
0404455
5329704
porollin.com
0344238
adult−moody.com
0353548
mukekuri.org
hamekura.com
4090697
0120166335
1086185
5333931
mcnsd.com
0358475699
1477522
marmaid.cc
kiss−of−adult.com
1414113
5093369
0448745
0331970
5343057
08020542531
h−love.org
77756
1452331
2660037
5329909
3173405
08032435833
7251423
0344551150
angelsabc.com
1492268
0363806168
1627942
1290679
0350269
1941897
0658736
okazustation.com
1628498
erumo.jp
6746509
7700913
2013974
bisyo2.net
0363806070
mac−mac.jp
0357744311
entaenta.com
4695553
4053334
lady−impact.com
09083035035
09029127977
09035487922
april1980.com
ss−class.net
0493515
2833320
6523649
345041
09055871914
09060167620
8226311
march−2008.com
channel.jpn.ph
honeypoo.jp
erojiro.com
08055079961
0359999229
3481058
adult−dougaga.com
yaplog.jp
0404128
lovediscovery.net
2952751
vvindows.jp
oman5.com
6044604
09012122826
4017085
08068165797
channel−av.net
rivianan.com
5333485
4087416
08065409987
nureyubi.org
movie−h.com
4040027
geinouflash.com
1065019
3095372
1237177
1634727
09018030721
09047285631
hot−spot.cc
1801712
quicklegs.org
mokko−gals.info
dougadx.com
akume55.net
8290452
2313128
ktkr.cc
adult−55.com
idolroom.net
hitodumah.net
deepero.net
1107515
baby−cat−be.com
0384305
otakara−max.com
mihoudai.com
be−movie.org
1521668
0411692
sagjo.com
sweet−tenn.net
09017729724
6811034
idol−mania.net
kaZnetmovie
1383371
news−club.jp
3783847
deeper.bz
bgmovie.org
1609126
girl−mix.com
5157963
nozokix.cc
1734316
3146656
onaona.org
m−hunter.net
1583507
bm−mov.com
m−o−v−i8−es.com
0364576191
09045665062
mv69.org
admovie69.com
peroman.net
5313573
469831
honey−cute.com
mv−love.org
bgmv.net
0352925692
1301074
3510627
1005560
1143219
1383733
star−77.com
337767
pineapple−express−the−movie.net
rev−02.com
6672662
erogazo.net
0364576188
orange−girl.net
mvx55.org
08054295269
big−pink.net
4037555
erostube.muvc.net
433515
8094341
8975641
3494150
h093.com
gal−xx.net
goo−leak.com
1739475
candysweet.cute.bz
girl−box.net
mv−hunter.com
0120696403
09044522789
ero−anime−star.com
candy−sweets.net
6954047
hasikue.net
d−xxx.net
nukikko.net
4079227
0360843
0120964231
2182619
mania4u.net
tere.site.ne.jp
4443129
0359445
0369194966
1120635
08012315407
09038178656
av−flash.net
09060439730
movie−tubes.com
4058108
09061234110
0450617
bmov.bz
08055089225
2578585
1887032
aneona.com
movierock.info
1648593
adult−ch.com
cyberpro−wingsmember.com
vip−ch.com
3803329
coolwatch−dramaplayer.com
fpretty.net
chizyo−takyuubin.com
5416593
gazobank.net
3103382
3091434
crystal−mv.org
4068802
temomin.net
eroking.net
adult−maniac.com
wink69wink.com
veoh−box.com
guba−cafe.com
0396753
view−break.com
aidol−o.net
0334074911
3698289
dlxmovie.org
8410192
0398437
8538560
myvideo−viewwatch.com
ero−izm.com
fmv−str.com
samehada.com
359445
tokyo−vi2.com
olioli0.com
0412752
5242684
free−wmv.org
f−xxx.net
frx−video.info
strmv.org
0417728
e−adults.net
1121928
4044638
freehp.cc
5337294
5339572
eroerotv.com
6583868
2222472
4045172
0421581
1869828
kakecat.com
0776395
7361520
gi2a.net
0354671057
09061860948
f−cute.com
fxe.bz
mvdx.net
1933624
high−time.jp
08065329727
0349375
0338530
x69xforyou.com
nkjnk.com
runkhead.net
4082665
1619966
d−per.cc
fe7.org
elephin.net
09017387584
8042012
4370852
5340104
erox−mov.info
cream−angel.net
srmov.net
erocinema.net
09012739052
sexy−shake.com
8065331
0321104
eroero−movie.net
08067622371
hs34.drive.ne.jp
1529859
5165068
ozari.com
0425703
4045610
6985815
shin−girl.com
1144859
4009193
erotown.biz
1780456
eroing.net
eroooo.com
main69.sc
extasy−sp.com
6992785
09018377611
m2mv.net
pinky−camera.net
o1111.com
1556604
2878099
ony−hand.com
cos.com
0403850
2866908
1535848
2824040
manko−siohuki.com
0353389795
10228026
x−archive.info
2012854
download−page.net
puru−2.com
0303133
angel104.com
602741
triqwe.com
nuki−movie.com
1829553
0383656
pearl−movie.net
6580923
pakipaki77.com
ureqky.com
cherryboy.jp
2000207
1352754
0333718464
08038262976
eroero−story.com
elite−elite.jp
5341747
09018376843
4029118
4648516
340174
0222917
0378050
5297837
goldmedia9.jp
strmovie.net
306390
heidi−alps.com
3324574
363010
mov−x.org
erowiki.net
otkrd.net
09065662100
09047379105
tinko4545.com
shakuhati1919.com
ee−movies.net
o−takara.org
bb−download.net
1040522
4076368
free−tube.girls−jp.com
1622740
419223
08040118481
download−max.net
595799
0402931
q−vide0.com
08038254756
splash−net.jp
ari−.com
bottob.net
0387486
5340724
4941192
7769426
0120078310
8083492
0369632
0306583
ex−d−ex.net
2312521
o−tin.com
1647361
0347916
4040791
0598054
35122
1601834
0120100479
dream−−maker.com
momoiro−time.com
0029786
5101517
1453920
0354562488
6232755
zest−movie.com
08054597956
1221882
cokimaro.com
4584380
medo−hole.org
movie−factory2.net
6341843
5336573
3660931
0353530
mega−movies.net
0385093
0318332
1028012
09061861058
0385094
1630265
movies−max.com
0385203
muteking.com
0369129513
oppai777.com
nurenure−movies.com
download−vi.net
0351310
eroero−aidol.net
0563215
adult−juice.net
1813378
moro−movies.com
5318168
0343550
cherry−pie.info
5336778
3213568
free−share.jp
1103645
9985692
08035110306
0104697
1458789
1238350
0358425
0362689
0364500337
1369144
0225244
0364500338
adult−69.com
0312320
ananan.biz
0727136
1343757
yamato.power.ne.jp
0387514
1030147
7541792
4038252
08012493978
0292684
0135448
6948954
playgirls.cc
0050056
lastsong2007.com
0348126
1537062
5337316
5341071
0120707473
1659678
08013471667
adult−99.com
0333082
1928070
ad−sexy−gallery.com
1648063
0298759
a−mn.net
478971
ero−max.biz
1767396
1929784
1635833
0162390
1064348
1637561
08013416995
09040026096
6547551
0406009
230141
2348872
ad−maruhi−club.com
5323609
peach−candy.com
08066293236
good−eros.com
0326011
all−look.net
09044356307
0315494
09064957153
0163237
2808142
382555
pichipichipi−chi.com
cute.fm
0387239
specialdouga.com
08035110321
0161761
0371964
1105738
09061860949
beauty−movie.com
0561112
09098068443
8459883
daichuki.net
0385858
0387480
5317757
0286196
ikuru−to.com
2124627
2039800
sexyhathurathu.com
6630471
0361645
pussy3.net
blog−ex.jp
0154039
0503632
0339477
0373205
0385460
0347038
mars.server.ne.jp
0385099
0063338
arukonda.com
saunin.com
0403627
0380906
0389994
3878842
0356547159
1120502
okazu−ch.com
5336565
cyuraman.com
5321550
0120540412
0145000
gazo−xxx.com
pink−gals.com
adult−vision.net
3114035
hippai.net
0354283294
0331806
5218287
3077810
1613892
movie−downloadpage.com
0393511
2122373
08051893069
334604
0354456
08051827956
09098057510
4049462
0382799
h−erorist.com
eroize.net
5097338
08066789998
kyoto.direct.ne.jp
1434040
4044105
manboo.org
6964085
08013481402
nakatayu.com
adult−moviespecial.com
ero−station.net
0343433
tadaudo.com
08051825872
momotube777.com
0441247
1161106
0478971
0400517
3262040
0354283599
1096017
1176575
5244068
1036604
.info−e.net
sexsexsex.bz
1033360
8455994
nishinom.uuuq.com
0375460
3479977
click−gazou.com
doshirouto.net
5338576
1056961
2051963
adultportal.bz
0261679
3348130
movies−navi.net
otakara−com.net
urageinou.com
syogekiotakara.com
7552399
1369219
7019393
5878056
0069417
1647116
6132458
1126505
geinoulive.com
1702309
6239687
08030288578
hiroimonoblog.com
1953517
hitozuma−jukujo.com
5392821
uploadotakara.com
7512014
freefree−geting.com
shirotopara.com
5084203
e0721.com
08067744832
e−horidashi.net
1680370
sukebe4545.com
1343544
1447503
freemovieshelter.com
cupid−f.com
0104838
purememo.jp
nurunurujp.com
treasuremovieplayer.com
index−pv.com
pyupyupyu.net
0084305
5213007
0343162
1507237
hwrws.com
1997477
2429766
4467772
6966760
1647622
paradise−cafe.tv
0352924176
tokudane.cc
09034142427
08066293227
1658483
2429774
5346307
1502037
2683998
kamehamema.com
asite2006.com
adult−media3.com
0421384
milkpai.net
1691135
333289
afg.adfack.com
0175290
ctg.adweeb.com
5695927
09034178215
petit−devil.com
sikosiko55.com
0387595
4058270
0337680
tch.adweeb.com
08066164856
geinoudaisuki.com
1404764
pink−apple.net
08061148266
garumin.com
0426326
6599861
0577251
0357849501
0402084
0306538
onanny.net
tohkof.adfack.com
shake−hip.net
0525881
ree.adweeb.com
0357849235
5342131
gss.adweeb.com
8059603
3442456
materiaru.com
0388662
1267396
0388283
jyukujo−hitoduma.com
0374643
0120937959
4026601
apk.adflash.net
4026092
09094023036
09010425485
fgter.com
bfg.adweeb.com
08061332300
3791080
0352343
0284256
5337731
0425520
takuero.com
adalt−world.com
boinpururun.com
0352924109
tst.adweeb.com
1629329
09058210093
0352924033
love−green2.com
tpl.adweeb.com
0558445
6191072
wintube.net
0583821
4084869
09098564796
6476397
0387593
lovelyhoney.adgoo.net
1015584
youradult246.com
0179561
0293921
3532049
08067242335
.eromajin.net
gsg.adweeb.com
1473244
0451712
1633362
2452834
0376574
1623524
hat.adweeb.com
hame.adflash.net
09084891165
hamebank.adfack.com
6600282
08053276846
5406408
tom.adweeb.com
idol−get.net
kewpie.tv
2848342
4993545
2066983
0274806
0335845177
starpeach.net
1182422
09017936613
hcl.adweeb.com
0389948
geinouplus.com
youxtube.org
7685526
0374386
pararin.net
trinions.com
4601959
stx.adfack.com
tof.adweeb.com
113095
1414431
5374157
1717689
3039599
08065920249
galooon.com
videochannelfile−mackintoshlive−movie−tv.org
douga−dx.com
3379998
8506951
yourtubefile−userforplayer−live.com
1174307
0437281
okazumovie.net
okazu−movie.com
09029094733
3509866
wintube.info
1611645
mycast−watch−tv.com
tohsen.adgoo.net
08065290249
dougadx.net
6099079
forjustvideo−javadownload−watch.info
cross−mode.com
0382127
0445224
0164722
0414077
1166179
3969195
3090009
0335604975
shibuya−supa.cocolog−nifty.com
samplefreemovie.com
4517418
inf070614.com
r18shitei.com
1221456319
05055335807
0630719
4062966
0338829851
1970262
0350762
08065306995
sweet−tube.net
4087017
youtude.name
2004024
0001682
0354598
0339320
1556490
0100145
1805992
yaritai.jp
4035520
1281040
yariyari−doga.com
08065920448
impactfreemovie.com
pp−juice.com
blog.kimikasa.com
6309257
he−collection.net
08034562094
1249683
0359850128
1022465
1038001
0383417
3008409
0339122
2005096
1776495
3032557
5372812
0300391
exite−tube.hot−jp.com
e−gossip.net
onaona−doga.com
0329168
youtude.jp
8918683
08036386304
love−cast.net
3107493
0507462
0187633
0279570
3177715
movie−adult999.com
eroeromax.net
7202108
cbehs.com
08067403774
08066706829
0375568
xootech.net
adult−fish.com
1080791
0352180
5651810
1663667
mediachannel−windowslive−tv.net
4021054
pure−doga.com
0357505273
nukenukidoga.com
shirouto−av.com
softnbank.com
v−gallery.net
ero−gappa.net
ero−tube.jp
08067441280
0272017
eroceleb.net
0638152
adult−007.com
0358475692
09061017344
2551129
0062260
2046533
9348390
mo−movie.com
0353021978
1662373
3131092
6723957
venus−gate.info
1632202
0451981
1282599
7027611
0362807977
09065000870
0338829852
0333758325
moe−roli.com
h−tuma.net
0362807950
1471895
0120404306
5392597
onenight−movie.com
brabus.xsrv.jp
7864096
Figure 3: Clustering of 1,341 nodes representing 481 domains (ovals), 684 bank accounts (triangles), and 176 phone numbers (small
rectangles). Links connect nodes found in the same incident. We obtain 105 clusters containing more than one node, and 26 singletons
(omitted from the figure). Additional grouping by malware used allows to link six of these clusters (represented by thick dashed
lines), and additional grouping by strong similarities in WHOIS registrant information allows to group another set of seven clusters
(represented by thick dotted lines).
are ordered in separate boxes in the figure. The presence of large
connected subgraphs (e.g., top right) indicates that some miscreants are operating a large number of sites, and are reusing phone
numbers or bank accounts across several sites.
While it could, in theory, be possible that two completely different criminals share an identical bank account number, we reject
this hypothesis, as the bank account numbers used have to be valid
for the criminals to collect their dues. Hence, a shared bank account number means that, at the very least, the miscreants sharing
the account are in a tight business relationship, and probably are the
same individual or group of individuals. Likewise, because phone
numbers used in these frauds are genuine, reusing the same phone
number across several frauds indicates a business relationship between the perpetrators.
Malware. We further noticed that websites from the second largest
connected subgraph were still alive as of Nov. 2009, indicating
that the fraud continues unabated. As mentioned earlier, we downloaded the entire contents of each fraudulent website listed in our
database. We found that a small number (14) of One Click Fraud
websites contained some malware.
Specifically, some of these sites contain a virus named Trojan.
HachiLem. This is an MS Windows executable file which is
posted on these sites as a “mandatory video viewer plug-in.” Once
downloaded and executed, this virus automatically collects email
addresses and contacts stored within Outlook Express or Becky!
(email application popular with Japanese enterprise users), and sends
the collected information to a central hachimitsu-lemon.com
server and, possibly, to another machine as well. The collected
email information is in turn used to blackmail victims and notify
them they owe the website registration fees. Interestingly enough
hachimitsu-lemon.com has not been a valid domain name
since, at least, early October 2009, but a report about this virus was
posted as recently as Oct. 26th, 2009 on Wan-Cli Zukan, indicating
that this virus is still mildly active.
Another group of sites contains a simpler, less intrusive form of
malware, which modifies the Windows registry entries to display a
pop up window reminding of the registration fee due upon boot-up.
Additional clustering. An interesting feature of the sites hosting the
Trojan.HachiLem malware is that they all share strong similarities in their WHOIS records. For instance, the technical contact
phone number field contains is identical (+81-6-6241-6585). While
it is likely a bogus number, this similarity, coupled with the presence of identical malware and overall similar appearance of the different websites involved strongly suggest all sites are operated by
the same group. We can thus relate six connected subgraphs to each
other, represented by the dashed boxes in Fig. 3.
We further look into WHOIS information details, and notice that
a number of registrant entries shared similarities across seemingly
different incidents. For example, we found a number of entries
with identical (bogus) contact name, email information, or technical contact phone number. By grouping this entries together, we
can link seven connected subgraphs, represented by the thick dotted boxes in Fig. 3, to each other.
Fraud distribution. With the assumption that each connected subgraph denotes a unique criminal organization, we plot, in Fig. 4, (a)
the number of frauds perpetrated by each group, and (b) the cumulative number of frauds perpetrated by the most active fraudsters.
In Fig. 4(a), we rank criminals by the number of frauds they have
been committing, and plot the number of One Click Frauds perpetrated by each group as a function of its rank. We provide data for
both simple clustering (based only on phone numbers, domains,
and bank accounts), as well as additional clustering (further group-
ing criminals by malware used, and identical WHOIS records). We
note that the distribution seems to be following a Zipf law. Specifically, the curve representing a basic clustering fits very well with
the function y = 56/x0.76 ; and y = 80/x0.90 is a good fit for
the curve obtained by considering additional clustering. The match
with a power law indicates both high concentration (a few people
are responsible for most of the frauds), and long tail behavior (many
people participate in these scams).
Fig. 4(b) plots the same data as Fig. 4(a), but in a cumulative
fashion. What we observe here, is that even with our conservative clustering strategy, the top 13 miscreant groups are responsible
more than 50% of the fraud. Taking into account similarities exhibited by WHOIS records, and malware deployment, we observe that
the top 8 groups are responsible for more than half of the frauds we
have collected. At the same time, there is a large number of groups
that do not seem to be involved in more than at most a couple of
frauds. Including singletons, 80 out of the 112 groups we extracted
using additional clustering, or about 71% of the criminals involved,
appear to operate at most two sites. This number may be an overestimate, since we do not claim that we managed to establish all
possible links that exist. Yet, it tends to indicate that the miscreant
population is a mix of large operators, and of “artisans” running
much more limited criminal enterprises.
4.3
Evidence of other illicit activities
Blacklist
cbl.abuseat.org
dnsbl.sorbs.net
bl.spamcop.net
zen.spamhaus.org
combined.njabl.org
l2.apews.org
aspews.ext.sorbs.net
ix.dnsbl.manitu.net
Google Safe Browsing (FF3, URLs)
Google Safe Browsing (FF2, URLs)
Google Safe Browsing (FF2, IPs)
Purpose
Open proxies,
Spamware
Spam
Spam
Spam,
Trojans,
Open proxies
Spam,
Open relays
Spam,
Spam-friendly
Spam
Spam
Phishing,
Malware
Phishing,
Malware
Phishing,
Malware
Nr. hits
7 (2.55%)
22 (8%)
4 (1.45%)
23 (8.36%)
4 (1.45%)
90 (32.73%)
11 (4%)
4 (1.45%)
0 (0%)
0 (0%)
44 (16%)
Table 4: Presence of One Click Fraud domains in various
blacklists.
Next, we try to see if domains engaging in One Click Fraud are
also supporting other illicit activities. Out of 1608 URLs present
in our database, we extract 842 domain names. These domains
resolve to 275 unique IP addresses.3
We check the 275 IP addresses against a set of eight blacklisting
services that flag IP addresses known for producing large amounts
of spam, and/or trojans and malware, and present our results in
Table 4. While some of the domains are also used for spam, the
vast majority does not appear in any database. In fact, most of
the hits we see (in L2.apews.org) are coming from sites that
resolve to a parked domain IP address. That is, these sites are not
3
A large number of domains, particularly those reported in 2006–
2007, are down, and do not resolve to any IP address anymore.
Cum. prop. of webs. maint’d
Nr. of websites maintained
60
50
40
30
with additional clustering
basic clustering
20
10
0
20
40
60
Group rank
80
100
1
0.9
0.8
0.7
0.6
0.5
0.4
0.3
0.2
0.1
(a) Nr. of frauds perpetrated by each group.
basic clustering
with additional clustering
20
40
60
Number of groups
80
100
(b) Cumulative number of frauds
Figure 4: Frauds distribution over the miscreant groups. These plots exhibit considerable concentration in fraudulent activities.
active as One Click Frauds anymore, and have been reclaimed by
the DNS reseller, which apparently either serves as a spam relay
or has been known to be friendly to spammers. Given the results
we found earlier about the concentration of frauds in some specific
resellers, this outcome is not particularly surprising.
We further verify this hypothesis by checking our entries against
the Google Safe Browsing database for phishing and malware distributed as part of Firefox 3, updated as of July 24, 2010. None
of the URLs we find in our database is listed in the Google Safe
Browsing database.
However, we also want to check IP addresses of the servers that
host One Click Frauds against the IP addresses of the servers hosting pages listed in the Google Safe Browsing database. Recent
versions of the database, such as that used in Firefox 3, only contain hashes of the blacklisted domains rather than the actual domain
information, which makes it impractical to obtain IP addresses associated with the blacklisted domains. We thus turn to an older
version of the Google Safe Browsing database (bundled with Firefox 2, last updated on June 29, 2008), which contains the blacklisted domains in plaintext.4 In this older database too, none of the
URLs match blacklist entries, but, when comparing IP addresses
of the servers that host One Click Frauds to the IP addresses of
the servers in the blacklist, we see a significant (16%) number of
hits. This confirms our finding that, while the websites engaging in
One Click Frauds keep a relatively low profile, they are sometimes
hosted on very questionable servers, which essentially turn a blind
eye to what their customers are doing.
A possible reason for the relatively lack of conclusive evidence
that One Click Frauds sites engage in other forms of online crime
will become clear in the next section, when we look at the potential
profits miscreants can make. Operating a set of One Click Fraud
sites is indeed quite a profitable endeavor, and we conjecture that,
engaging in other forms of fraud would only have a marginal benefit to the fraudster, while increasing the risk of getting caught.
5. ECONOMIC INCENTIVES
We next turn to looking into the profitability of One Click Frauds.
We start by drafting a very simple economic model, before populating it with the measurements we obtained from our study. The
objective is not to obtain very precise estimates of the actual profits
that can be made, but mostly to dimension the incentives (or disincentives) to engage in One Click Frauds. We first determine the
4
Note that, while this blacklist is considerably older than the newer
versions, it is contemporary with a large number of One Click
Frauds we collected.
break-even point in the absence of potential risks for miscreants,
before looking at the impact of penalties (prison, fines) on criminals’ incentives. All the numbers in this section are current as of
November 2009.
5.1
Cost-benefit analysis
Costs. A miscreant interested in setting up a One Click Fraud will
need a computer and Internet access. We call this startup cost,
Cinit . Cinit is independent of the number of frauds carried out, but
is actually dependent on time, as Internet access is usually provided
as a monthly subscription service. Then, the miscreant will need to
purchase a DNS name, possibly joint with a web hosting service.
We will call this cost Chost . This cost, too, is time-dependent.
The website has then to be populated with contents (e.g., pornographic images, dating databases), which will cost Ccont . Ccont
can be a fixed price, or a periodic fee, depending on whether the
miscreant is purchasing items in bulk, or as part of a syndicated
service.
The criminal has to set up a bank account, which should not be
traceable back to its real identity. We will assume the cost of this
operation to be Cbank . This is a fixed fee. Likewise, an untraceable
phone number for call-back from the victim may be purchased to
make the fraud more successful. We will denote the cost associated
with this purchase Cphone . This fee is likely to be time-dependent;
for example, the forwarding service discussed in Section 4 is a
monthly subscription.
Profits. Profits primarily come from money obtained through user
payment Puser , conditioned by the number of users n paying the
requested amount f for each incident. The number of users increases with time. Secondary profits, Presale , may be reaped from
reselling databases of victims contact information to other miscreants.
Utility. As we have discussed before, miscreants may actually set
up several frauds, potentially reusing phone numbers and bank accounts across them. Let us denote by S, K, and B the number of
frauds set up, phone numbers, and bank accounts purchased by a
miscreant, respectively. We assume that identical contents is reused
across all frauds operated by the same miscreant, which, based on
casual observation, appears to be the case. We further assume that
hosting costs are directly proportional to the number of sites operated, which is a very conservative assumption, as resellers tend
to provide discounts based on the number of domains purchased.
We also assume that the costs of phone and banking services are
directly proportional to the number of phone lines and banking ac-
Frequency (nr. of frauds)
300
250
200
150
100
50
,0
,0
00
0
40 1−4
,0 0,0
01
0
45 −4 0
,0 5,0
01
−5 00
50
0,
,0
00
01
0
−5
55
5,
,0
00
01
0
−6
75
0,
,0
00
01
0
−8
85
0,
,0
00
01
0
−9
95
0
,0
01 ,00
0
−1
00
,0
00
35
−3
5
01
,0
30
1,
00
1−
5,
00
0
0
Fee amount (in yen)
Figure 5: Ten most common amounts of money requested.
counts purchased. This assumption holds, because Japanese phone
companies does not rely on usage-based charging for incoming
calls. Cellular lines use dedicated area codes, so that the caller,
in this case, the victim, pays a premium compared to the charge for
calling a landline. Hence, in One Click Frauds, because miscreants only use their lines for incoming calls, they are not charged for
usage.
Finally, because quantifying Presale is difficult, and is likely to
be small in front of the other profits, we simply consider Presale ≥
0. Finally, we assume that each fraud has roughly the same probability of being successful, and thus, that the total number of users
to fall for all frauds operated by a miscreant is simply given by
multiplying S by n.
With these assumptions, we obtain, for the utility (i.e., the profit
or loss miscreants can expect) U , the following inequality, in absence of any risks linked to being caught:
U (t) ≥
Sn(t)f − Cinit (t)
−S(Chost (t) + Ccont ) − BCbank − KCphone ,(1)
where t denotes time. Clearly, the policy maker wants U < 0. If,
on the other hand, U ≫ 0, there is a high incentive for people to
start fraudulent operations.
5.2 Fraud profitability
We next turn to dimensioning each of the parameters in Eqn. (1).
We consider t = 1 year in all discussions.
We plot the number of occurrences the most commonly requested
amounts of money f are observed in our database in Fig. 5. The
spike at 45,001-50,000 JPY (roughly USD 500) coincides with the
average monthly amount of “pocket money” typical Japanese businessmen are allowed to take from the household income (45,600
JPY in 2008, [27]).5 The average, over 1,268 records in our database,
stands at f = 60, 462 JPY.
Next, the initial cost Cinit combines that of a computer, which
the fraudster likely already possesses, and of an Internet subscription. If the miscreant does not already own a computer, a basic
model, around 28,000 JPY (e.g., an Asus EeePC 900X), would be
more than sufficient. Likewise, the miscreant probably already subscribes to an Internet service, but assuming they do not, a modest
5
In Japan, the wife of the household typically plays the role of
“Chief Financial Officer” and dispenses monthly allowances to the
husband and children.
broadband access is all that they need. As an example, in 2009, Yahoo! BroadBand provides an ADSL “8 Mbps” plan for 3,904 JPY
per month [8]. We get 0 ≤ Cinit ≤ 74, 848 JPY, where the upper
bound is given by assuming a fully dedicated machine and Internet
connection for setting up One Click Frauds, and is obtained combining the prices of purchasing a new PC and subscribing for one
year to the Internet service.
We evaluate Chost using maido3.com, a domain reseller and
rental server popular with fraudsters (see Section 4). The Starter
Pack Plan costs 3,675 JPY for an initial setup fee; domain registration and DNS service is free; the plan requires a three months advance payment of 22,050 JPY (monthly fee is 7,350 JPY). We gathered these numbers from our email communication with maido3.
com. For a one-year subscription, we obtain Chost = 91, 875 JPY.
Fraudulent bank accounts can be obtained for prices going between 30,000 and 50,000 JPY [1] from the black market. As previously mentioned in Section 4, bank accounts are easily forged if
created in Internet banks or banks requiring only postal mail for
new contracts since there is no physical interaction during the contracting process. Also, it is relatively easy to set up fraudulent accounts by taking advantage of the Japanese writing system. Bank
accounts internally use a phonetic alphabet (katakana), different
from the characters used for most names and nouns (kanji). It is
thus possible to create ambiguous account names. For instance,
both the “Baking Club of Shirai City” and “Shiraishi Mitsuko” (a
person’s name) are pronounced exactly the same, and thus would
have the same account holder information. By registering as a nonprofit organization, the fraudster may easily bypass most identity
checks, and subsequently set up fraudulent transfers using the individual name instead. Creating an account in this fashion would
cost much lower than 50,000 JPY. We can thus confidently assume
Cbank ≤ 50, 000 JPY.
A phone line is required for miscreants to have the ability to further pressure and blackmail the victim to pay money. Cell phones
can be illegally purchased for approximately 35,000 JPY [1,3], and
can be made untraceable by paying the monthly subscription fees
of 7,685 JPY/month [3] at a convenience store, or by simply using a
prepaid phone. Forwarding and anonymizing services discussed in
Section 4 can be purchased for only 840 JPY/month [6]. Assuming
all these services are purchased for a year yields an upper bound
Cphone ≤ 137, 300 JPY.
We make the modestly controversial assumption that Ccont = 0.
Indeed, we suspect that most of the pornographic contents presented in One Click Fraud websites is simply copied and plagiarized from other (non-fraudulent) websites, or obtained through
peer-to-peer transfers.
Last, our analysis of Section 4 tells us that, on average, S ≈
3.7 domains, while B ≈ 5.2 accounts, and K ≈ 1.3 phone lines.
These numbers are obtained by looking at the graph G, and dividing, the total number of domains operated (481), bank accounts
(684), and phone numbers used (176), by the number of connected
subgraphs we found, including singletons (131).
Reusing these numbers in Eqn (1), we obtain a simple linear
condition for the fraud to be economically viable, that is, for U ≥
0, we need
n ≥ 3.8 users
to fall for each fraud, within one year. This means that, as long as,
for each scam operated, more than four people fall for the scam
within a year, the miscreant turns a profit. In other words, there
is an extremely strong incentive for aspiring criminals to engage in
One Click Fraud. This strong incentive is not very surprising, given
the low amount of skills and equipment needed to set up One Click
Frauds. What we find more interesting is how profitable One Click
Fraud appears to be.
5.3 Legal aspects
The above incentive assessment ignores the probability of getting caught, and the associated penalties resulting from arrest, which
we detail next.
Prosecution probability. Criminals take advantage of social norms
and legal loopholes to commit One Click Frauds. First, most victims do not report these crimes. Indeed, to be able to legally charge
a suspect, a victim must make a formal complaint to the court. Due
to the embarrassment associated with the context of the fraud, many
victims do not wish to participate in the accusations that may reveal
their identity. Further complicating matters, is the fact that most
DNS resellers and web hosting services used, as we have observed
in our measurements, are physically situated outside of Japan. The
part of the fraud infrastructure hosted in Japan, i.e., the phone line
and the bank account, is equally hard to use for investigation. Indeed, police cannot obtain contact and network information from
telecommunication networks unless they have an actual arrest warrant. Likewise, access to banking accounts is very restricted. Thus,
prosecution probability is actually very low.
Penalties. In addition, sentences are relatively light. Common
fraud (e.g., blackmail), in Japan, carries a sentence of up to 10 years
of imprisonment. However, One Click Frauds very often do not
meet the legal tests necessary for qualifying as “fraud,” as in the
vast majority of cases, the victim pays up immediately, and there
is no active blackmailing effort from the miscreant. One could argue that they are nothing more than a sophisticated form of panhandling. As a result, the few sentences for cases related to One
Click Fraud made public [2] were rather light, with fines ranging
from 300,000 JPY to 2,000,000 JPY (≈ USD 3,000 to 20,000) and
prison sentences ranging from probation to 2.5 years of jail time.
Date
Location
2/2004 - 4/2005
8/2004 - 8/2005
7/2006 - 4/2007
7/2006 - 11/2007
7/2007 - 8/2008
Osaka
Iwate
Saitama
Chiba
Yamaguchi
Damages
(×106 JPY)
600
28
50
300
240
Victims
Ref.
10,000+
450+
700+
3,400+
3,500+
[33]
[38]
[19]
[37]
[10]
Table 5: Press reports of One Click Fraud arrests.
of unsolved cases, as well as, some potential exaggeration in the
losses incurred, the profit made by miscreants in practice appears
sizable.
We can compare this estimate with reports gathered from the
press, which we summarize in Table 5. The profits made appear to
be very high, which is not overly surprising considering the number of victims involved. Recall from the previous section, that one
only needs about four victims to break even. Clearly, with victim numbers in the 450–10,000 range, we can expect very significant profits, which, in Table 5 are estimated between approximately
USD 28,000 and 600,000 for each group arrested. Thus, the USD
90,000 – 360,000 estimate acquired from the police reports seems
to be in the right order of magnitude.
Ironically, the case reported in [38] names the suspect as a famous IT writer specializing in cybercrime and appearing in multiple TV programs to warn the public of the dangers of One Click
Fraud. One cannot help but think that the suspect, being very familiar with the inner working of One Click Fraud, must have reached
a conclusion identical to that of the present paper, that is, that there
is a significant economic advantage to engage in such frauds.
We also note that these arrests were likely possible by the sheer
magnitude of the fraud. A criminal confining themselves to only
a few dozens victims would likely be able to make a reasonable
profit, while being hard to catch.
5.4 Field measurements
We next use field data provided by the Japanese police [15], and
compare their findings to ours. Note that the report [15] combines
numbers for One Click Frauds and related confidence scams, so the
numbers in this section are much more approximate than we would
wish. However, they remain a useful starting point to roughly assess the economic impact of these frauds.
Number of frauds per miscreant. First, the police acknowledges
2,859 cases of frauds leading to 657 arrests. It is very unlikely that
the police would inflate the number of unsolved cases in an external
publication, and it thus appears that each arrested individual was
responsible for an average of 4.4 frauds.6 This number is slightly
higher than S = 3.7 we found earlier, but the difference is hardly
surprising, as the probability of getting caught increases with the
number of sites operated.
Profits made. The Japanese Police estimates, on average, between
2004 and 2008, that 26 billion JPY per year were swindled in various confidence scams, prominently including One Click Frauds.
Dividing by the number of 2,859 cases the police reports, we find
the average income per case to be approximately 9 million JPY over
a year (≈ 90,000 USD), a quite staggering number, especially considering that each arrested individual was responsible for about four
cases, potentially making around 360,000 USD. While we believe
that this is likely an over-estimate, due to the unpublished number
6
In Japan, arrests are usually made only when the police is certain
with 99% probability or more of the suspect’s guilt. The conviction
rate is thus very high.
6.
DISCUSSION AND CONCLUSIONS
This paper attempts to provide a comprehensive picture of a confidence scam used in Japan, called One Click Fraud. By gathering
over 2,000 reports of incidents from vigilante websites, we were
able to describe a number of potential vulnerabilities that miscreants use (lax registration checks, resellers turning a blind eye to
their customers’ activities), and also showed that the market appears to be quite heavily concentrated. The top eight miscreant
groups are responsible for more than half the frauds we uncovered.
At the same time, a large number of individuals seem to be participating in frauds of smaller magnitude.
We showed that an important reason for these scams to flourish
is the strong economic incentives miscreants have. They can break
even as soon as they manage to successfully scam four victims for
each fraud, and, on average can make profits in the order of USD
10,000-100,000 or more per year. Prosecution is difficult, since
victims are reluctant to come forward, and the penalties that can be
meted are relatively light.
Reforming the law to impose harsher penalties is not easy, as
proving the mere existence of a crime is cumbersome. On the other
hand, prevention, identification, and take-down seems more feasible. Our study shows that identifying perpetrators can greatly benefit from a bird’s eye view of the network. In our discussions with the
police, we learned that different cases are usually assigned to separate officers, and that communication could be greatly improved.
For instance, one officer may investigate a fraudulent phone number, while another may be investigating an online fraud. If the
phone number is used in said fraud, clearly both officers would
benefit from sharing the results of their investigations. However,
such holistic approaches remain relatively rare in practice.
Future work. We believe that, while we tried to provide as comprehensive a study as possible, we could enrich the data we obtained by
looking for connections with other forms of crime in more details.
Our conclusions, thus far, are that these domains do not apparently
engage in other forms of fraud, but are based on a relatively simple
check of known blacklists. Studying in more details WHOIS registrations cross-listings, as well as possible connections with more
“mainstream” pornographic sites could reveal further insights.
Also, an article issued at the time of this writing [9] shows that
One Click Fraud is now using peer-to-peer software as a propagation vector for viruses very similar to Trojan.HachiLem.
While the propagation method is new, the psychological factors
making such scams successful remain the same. Finding how to
address these psychological traits is a promising area of research,
quite related to ongoing works in security psychology [28].
We have also observed, in the police records that we eventually
were not able to use, that 71 out of 359 scams reported were SMSbased. That is, One Click Frauds are also affecting mobile websites. Whether the perpetrators are the same, or different groups,
remains unknown, and would warrant further investigation.
Despite being focused on a very specific crime, we believe that
some of the methodology we used in this paper (graph-theory based
modeling, and clustering techniques, for example) could very well
apply to other forms of online frauds. As mentioned in the introduction, One Click Frauds are closely related to the more general
body of scareware scams, and some of the techniques we use could
equally apply to analyzing scareware markets. More generally, we
hope this paper will help facilitate an ambitious research agenda to
gather more data from online criminal activities. An improved understanding of the economics of online crime is indeed essential in
determining which policies may work to curb the problem.
7. ACKNOWLEDGMENTS
This research benefited from many discussions with Kilho Shin,
Jens Grossklags, and with our colleagues at Carnegie Mellon CyLab, both at CyLab Japan and in Pittsburgh. Comments from the
ACM CCS anonymous reviewers, Sasha Romanosky and Alessandro Acquisti provided valuable feedback on an earlier revision of
this manuscript. The Hyogo Prefecture Police was instrumental in
availing to us the case data used in Section 5. Ashwini Rao and
Lirida Kercelli helped with some of the DNS black-listing tests.
Sachi Iwata-Christin supplied additional translation assistance.
8. REFERENCES
[1] Black market yamamoto web. In Japanese.
http://yamashita0721.web.fc2.com. Last
accessed April 16, 2010.
[2] Koguma-neko teikoku. http://www.kogumaneko.tk.
[3] Manual on how to live anonymously. In Japanese. http:
//homepage3.nifty.com/nonu/tokumei1.html.
Last accessed April 16, 2010.
[4] MeCab: Yet another part-of-speech and morphological
analyzer. http://mecab.sourceforge.net.
[5] Ni-channeru (Channel two). http://www.2ch.net.
[6] Symphonet Services. http://symphonet.co.jp.
[7] Wan-cli zukan. http://zukan.269g.net/.
[8] Yahoo! BB ADSL.
http://bbpromo.yahoo.co.jp/adsl/type2/.
Last accessed Apr. 16, 2010.
[9] BBC News. Porn virus publishes web history of victims on
the net. Apr. 15, 2010. http://news.bbc.co.uk/2/
hi/technology/8622665.stm. Last accessed Apr. 16,
2010.
[10] Chugoku Shimbun. Arrested for One Click Fraud. August
16, 2008. http://www.chugoku-np.co.jp/News/
Tn200808160061.html. Last accessed Nov. 21, 2009.
[11] P. Eckersley. How unique is your web browser? In Proc.
PETS’10, Berlin, Germany, July 2010.
[12] J. Franklin, V. Paxson, A. Perrig, and S. Savage. An inquiry
into the nature and causes of the wealth of Internet
miscreants. In Proc. ACM CCS’07, pages 375–388,
Alexandria, VA, Oct. 2007.
[13] C. Grier, K. Thomas, V. Paxson, and M. Zhang. @spam: The
underground in 140 characters or less. In Proc. ACM
CCS’10, Chicago, IL, Oct. 2010. To appear.
[14] C. Herley and D. Florêncio. Nobody sells gold for the price
of silver: Dishonesty, uncertainty and the underground
economy. In Proc. (online) WEIS’09, June 2009.
[15] Japan National Police Agency. Incident report and monetary
damages of direct deposit frauds, 2009. Archived at
http://megalodon.jp/2010-0223-1659-40/
www.npa.go.jp/safetylife/seianki31/1_
hurikome.files/Page386.htm. Last accessed April
16, 2010. In Japanese.
[16] Japanese Information Technology Promotion Agency. Virus
detection reports, Oct. 2009. In Japanese.
http://www.ipa.go.jp/security/txt/2009/
10outline.html. Last accessed April 20, 1010.
[17] C. Kanich, C. Kreibich, K. Levchenko, B. Enright,
G. Voelker, V. Paxson, and S. Savage. Spamalytics: An
empirical analysis of spam marketing conversion. In Proc.
ACM CCS’08, pages 3–14, Alexandria, VA, Oct. 2008.
[18] N. Kato and T. Kawabata. The advance of the fraudulent
business scheme through the it and the legal measures of
specified business transaction. In Proc. AIEEJ Media
Computing Conference, 2007. In Japanese. Abstract
available at http://www.jstage.jst.go.jp/
browse/aiieej/35/0/_contents/-char/ja/.
Last accessed April 10, 2010.
[19] Mainichi Shimbun. Fraud: Suspect arrested again for
requiring a registration fee for unauthorized access. March 4,
2007. http://blog.goo.ne.jp/alladult/e/
4a53e012de3c0335a838d99161e9d8bc. Last
accessed April 16, 2010.
[20] Ministry of Justice, Japan. Act on special provisions to the
civil code concerning electronic consumer contracts and
electronic acceptance notice. English translation at
http://www.japaneselawtranslation.go.jp/
law/detail/?yo=&ft=2re=01&ky=&page=3. Last
accessed April 10, 2010.
[21] T. Moore and R. Clayton. Examining the impact of website
take-down on phishing. In Proc. APWG eCrime’07, pages
1–13, Pittsburgh, PA, Oct. 2007.
[22] T. Moore and R. Clayton. Evil searching: Compromise and
recompromise of Internet hosts for phishing. In Proc.
Financial Crypto’09, pages 256–272, Barbados, Feb. 2009.
[23] T. Moore, R. Clayton, and R. Anderson. The economics of
online crime. J. Econ. Persp., 23(3):3–20, Summer 2009.
[24] T. Moore, R. Clayton, and H. Stern. Temporal correlations
between spam and phishing websites. In Proc. USENIX
LEET ’09, Boston, MA, April 2009.
[25] T. Moore and B. Edelman. Measuring the perpetrators and
funders of typosquatting. In Proc. Financial Crypto’10,
Canary Islands, Spain, Jan. 2010.
[26] N. Provos, P. Mavrommatis, M. Rajab, and F. Monrose. All
your iFrames point to us. In Proc. USENIX Security’08, San
Jose, CA. Aug. 2008.
[27] Shinsei Financial. Japanese businessmen monthly allowance,
2009. In Japanese. http://www.shinseifinancial.
co.jp/aboutus/questionnaire/kozukai2009/.
Last accessed April 16, 2010.
[28] F. Stajano and P. Wilson. Understanding scam victims:
Seven principles for systems security. Tech. Rep.
UCAM-CL-TR-754, Cambridge U., Aug. 2009. To appear in
Comm. ACM.
[29] B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert,
M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna.
Your botnet is my botnet: analysis of a botnet takeover. In
Proc. ACM CCS’09, pages 635–647, Chicago, IL, Oct. 2009.
[30] P. Swire. No Cop on the Beat: Underenforcement in
E-Commerce and Cybercrime. J. Telecom. and High Tech.
Law, 7(1):107–126, Winter 2009.
[31] R. Thomas and J. Martin. The underground economy:
Priceless. ;login:, 31(6):7–16, Dec. 2006.
[32] Tokyo Metropolitan Police Association. Stop frivolous
billing requests! In Japanese. http://www.anzen.
metro.tokyo.jp/net/attention.html. Last
accessed April 15, 2010.
[33] Tokyo Shimbun. First arrest for One Click Fraud. In
Japanese. April 13, 2005. http://www6.big.or.jp/
~beyond/akutoku/news/2005/0413-10.html.
Last accessed April 16, 2010.
[34] Toyo Keizai Inc. Quarterly Corporate Report Sector Map
2010. 2009.
[35] Webhosting.Info. Largest ICANN registrars, Nov. 2009.
http://www.webhosting.info/registrars/
top-registrars/global/.
[36] G. Wondracek, T. Holz, C. Platzer, E. Kirda, and C. Kruegel.
Is the Internet for porn? An insight into the online adult
industry. In Proc. (online) WEIS’10, Cambridge, MA, June
2010.
[37] Yomiuri Shimbun. Company president arrested for two click
fraud. November 28, 2007. http://www.yomiuri.co.
jp/net/security/s-news/20071128nt0c.htm.
Last accessed April 16, 2010.
[38] Yomiuri Shimbun. IT writer arrested. November 8, 2005.
http://www.yomiuri.co.jp/net/news/
20051108nt03.htm. Last accessed April 16, 2010.
[39] J. Zhuge, T. Holz, C. Song, J. Guo, X. Han, and W. Zou.
Studying malicious websites and the underground economy
on the Chinese web. In Proc. (online) WEIS’08, Hanover,
NH, June 2008.