We have been closely monitoring Japanese dating spam for a while now, and have recently identified "adult dating" as one of the most often observed attacks. Adult dating spam has been around for quite some time, but how are spammers using these types of messages to their advantage? Dating spam is often referred to as Sakura. The term Sakura can be described as a group of "fake customers"—women looking for dates through a dating site, systematically trained to attract real customers. The spammer's intent for distributing these adult dating offers is to lure recipients into signing up for fake dating services and/or to harvest active email address accounts. Many of these spam offers are easily identifiable by the randomly generated From lines and erotic Subject lines:
From: 石本 孝治 <email@example.com>
From: startup <firstname.lastname@example.org>
From: "meguu" email@example.com
From: "市場事務局" <firstname.lastname@example.org>
From: "市場事務局" <email@example.com>
From: "野口梨花" <zysivemqgo@check1check
Subject: 女の子と遊ぶだ けでお金がもらえます！
[Make money just from having fun with girls]
[Your dating partners are HERE!]
[【Important】For males who are troubled by money issues]
[Mature aged looking for love]
The most frequently used technique for this spam type is one-click fraud. In one-click fraud, when a user clicks enter, he or she is automatically prompted to supply payment information and given a time limit for use. There is no way of knowing whether or not the site is legitimate because no access is given pre-payment.
The second generation of techniques for this spam is two-click fraud, which is an evolved version of one-click fraud. In two-click fraud, once a user clicks enter, a pop-up dialogue box appears asking for age verification and terms of agreement acceptance. In legitimate sites you generally see verification steps such as this, so a spammer has more than likely applied this technique it in order to gain a more legitimate look-and-feel for their site.
Another often-seen trick with dating spam includes "point system." In point system, a user is instructed to buy points in order to take any type of action. For example, you will need one point in order to view a picture of a woman or to send her an email. You will need to buy these points for 10 yen each. If you want the physical address of the woman you will need 100 points, which is 1,000 yen. Boy, this can get pricey! And, of course, you have no idea whether you will actually get that real physical address or merely lose your 1,000 yen.
The "trap link" is another Sakura trick. Spammers use other legitimate dating sites as a medium to indirectly attract site members to their own fraudulent Web page. This is called a Business/Contractor Sakura scheme. These spam organizations create a number of female characters to use as dummy accounts on those legit sites. Under a legit platform, these disguised characters fish for possible victims by bringing them over to the spammer’s site. Fictional requests often contain subject lines similar to the following: “Email from Ms. XX has arrived from YY site.”
The problem is, the user never signed up at YY site. However, sometimes the lure can be too intriguing to pass up, so the user will click on the site to check the person out anyway. Typically, in these emails there is a confirmation link and an opt-out link within the email body, which is forged of course. The spammer’s purpose is to collect active email accounts. The gathered records are organized into a "duck list" for future spam/fraud uses. The so-called duck list is a common list of victim records. Spammers or fraudsters keep a record of baited victims who pay requested fees or click into links as directed. This list of records is then sold amongst spammers or fraud groups.
Two spam filter evasion techniques employed by adult dating spammers are botnets and symbol usage. With recent adult dating spam messages, spammers have taken advantage of computers located in China for cheaper infrastructure costs. Analysis shows that machines located in Korea are also a main target for zombie computers. These messages come from botnets with an origin in Japanese time zones, but received from CN or KR IPs. Compromised machines used in this spamming technique also complicate delivery paths, making it difficult to trace back.
The use of symbols (such as star and triangle signs) in between characters, around the mail title or body text, is often observed in these messages as well. These symbols are usually inserted around key words in the message in attempts to throw off spam filters.
As you can see from the descriptions above, Japanese dating spam continues to evolve. As long as it is profitable, spammers will develop new techniques to draw in customers from which to collect vital information for duck lists and payments for their pockets.