Video Screencast Help
Security Response

One-Click Fraud Targeting Smartphones in Japan

Created: 23 Nov 2011 04:28:05 GMT • Updated: 23 Jan 2014 18:18:20 GMT • Translations available: 日本語
Joji Hamada's picture
+1 1 Vote
Login to vote

A type of fraud involving adult related content, called “one-click fraud”, has been targeting computer users in Japan for a while now. Typically, the fraud involves users attempting to access content on websites, which are usually pornography-related. When a user attempts to access this content-- in most cases the content is a movie--malware is downloaded and executed on the compromised computer along with the actual movie. The malware then continuously displays pop-up windows with lewd pictures asking for payment to register to the website. Since the pop-up windows will not go away, many users end up paying for the service in the hope that the pop-ups will disappear, although they may not actually disappear. Users who share the computer with their friends and families are more likely to make the payment as they would rather keep their potentially embarrassing surfing habits a secret. Some time ago I wrote this blog that describes one-click fraud in more detail.

While one-click fraud is still common on computers, we are now seeing sites that target smartphones – specifically Android and the iPhone. It’s worth noting that this site also can be displayed on the Windows Phone and BlackBerries but they are both not specifically targeted at this time.

Users generally fall for this type of fraud after they have clicked on a link in a spam email or clicked on a link they have stumbled across on a website. For smartphones, users receive spam to their smartphone email address*. The image below is an example of a spam email specifically created to be sent to a smartphone email address. When a user clicks on the link, the browser launches and opens an adult site. As you can see at the top of the site, the site supports the iPhone and Android OS. The screenshots below are taken with an Android device.

Spam email

 

“Would you like to connect to http://nm[REMOVED].com/z1?”

 

The text within the red lines below the URL states that the iPhone and Android are supported

 

Let’s now try accessing this site with an iPhone. You can see from the screenshot below that the content is identical to the content displayed above.

 

How about a Windows Phone?  It displays the same content as well.

 

If you try to open the site using a device other than a smartphone, such as a computer or a feature phone, you will be shown different content. When visiting the site from a computer, the page advises the viewer to access the site from a mobile phone.

“Please access this site from a mobile phone.”

 

When accessing the site from a feature phone, content customized for the low-end device is displayed.

 

The goal of this site is to lure viewers into registering for the service by getting them to click on the play button multiple times to view the movie of their choice. The site uses deceiving tactics like placing the terms and conditions at the very end of the page where it’s difficult for smartphone users to recognize that it’s even there as they would need to scroll all the way down to the bottom of the page to find it. Users also need to check the box provided in order to agree to the terms and conditions, but the box is selected by default, which is located below the terms and conditions. But the point is moot because even if a user deselects the box, the user still has the ability to select movies of their choice and the site will register the user anyway even though the user did not agree to the terms and conditions.

“Agree to the terms and conditions” with the check box pre-selected

 

As a side note, I could not read the terms and conditions on a Windows Phone because I could not scroll down the sidebar. The top page of the site did in fact only mention that the iPhone and Android are supported, so the site isn’t designed for Windows Phone just yet even though the site can be opened using a Windows Phone. Once the OS begins to grab larger market share, I’m sure it will only be a matter of time before it is supported as well. As for the BlackBerry, the experience is similar to the Windows Phone: The terms and conditions cannot be viewed, and the check box to agree to the terms and conditions is pre-selected and cannot be deselected. I believe that the BlackBerry is not targeted because most users are enterprise users.

Terms and conditions cannot be viewed on the Windows Phone

 

Once a user is registered, they are asked to pay for the service within three days, which is an exorbitant Y55,000 (US$700). The site makes registration look real by displaying the IP address used by the phone, browser details, customer ID, and so on.

 

When exiting the registration page, a message pops up as a reminder that the user has indeed joined the service and tries to intimidate the user into paying by stating that details of the phone used for the registration have been saved by the site.

 

At this point, users are now subscribers and they have their own personal page that details when payments are due, how long they are subscribed for, a customer ID, and a unique 40-digit ID to make them think that the site owner can track them down.

 

The site does give an option of unsubscribing in accordance with the terms and conditions; however, as you can see below, the site fails to complete the task. What a surprise.

Unsubscribe page

 

The Japanese states that unsubscribing failed

 

Users who may have subscribed to the site do not in fact have to make any payments. They should simply close the browser and never visit the site again. They should also not worry about the smartphone details that were displayed on the site. The site owner does not possess any relevant information about them or their phones to do them any harm. If they do decide to make payments or contact the site owner to make a dispute, it will allow the site owner to collect information about them, such as bank account details, email addresses, or phone numbers that then can be used at a later time for potentially malicious purposes. If a user has unwittingly signed up for this site, they can instead remove the cookie in their browsers as that is what is being used to identify visits to the site. By deleting the cookie, the site will display its pages as if they never visited the site before. But before things get messy like this, I suggest that users refrain from clicking links in spam. Better yet, don’t even open spam.

*Japanese mobile phones are capable of sending and receiving emails natively, and they also have an email address specific to that phone.

Blog Entry Filed Under: