One-Click Billing Fraud Tricks

Written by: Oscar Celestino Angelo Abendan ll

Contrary to its name, one-click billing fraud takes more than just one click. Fraudsters trick users into downloading malware disguised as a program that will let them view adult videos onto their systems. Instead of letting them watch videos, they are persistently bombarded by alerts asking them to pay for a certain registration fee.

This kind of threat, specific to Japan, is characterized by persistent alerts that finally urge users to pay for the said fee. Compared with scareware, FAKEAV, and ransomware, one-click billing fraud threats charge higher fees amounting to as much as 99,800 Yen (approximately US$1,300). We have also seen several one-click billing fraud schemes target the mobile platform to possibly cash in on the ever-growing number of mobile users.


How do users get wind of this type of threat?


Users may encounter links to malicious one-click billing fraud sites via spam, blog comments, and/or social media posts. Users who also frequent video-sharing sites or blogs to watch adult videos may also be affected by this threat. Users who stumble upon one-click billing fraud sites and click anywhere on their pages may also become victims.

Mobile users, on the other hand, may be affected by this threat when they view particular sites or download certain apps.


In a nutshell, how does one-click billing fraud schemes work?


Users who land on one-click billing fraud sites who are enticed to view certain videos are asked to download a program in order to do so. Downloading the program, however, only allows them to watch a few seconds of their chosen videos or none at all. The program also causes the display of prompts that ask users to click a certain item onscreen so they can view the full videos.

The program users are asked to view the video is actually a one-click billing fraud malware. This can be an .HTML, an .HTA, a .JS, or a .VBS file, among other types and may belong to either the HTAPORN or PORNY malware family, among others.

Once installed in users’ system, the malware bombards them with alarming and hard-to-ignore alerts, demanding that they pay a certain amount as registration fee.


What sites are related to this particular attack?

We found several sites, typically with pornographic content, related to this threat. Some of the known domains include:

{blocked}movies.com
{blocked}awarimove.net
{blocked}poo.net
{blocked}ne-movies.com

To know more about these sites, please visit the Trend Micro Threat Encyclopedia.


How does a one-click billing fraud attack ensue?

One particular one-click billing fraud attack we observed involved these steps:

1. Users visit an adult video site, which verifies their ages. On the lower part of the page notifies them that they need Adobe Flash Player, Internet Explorer 6, Internet Explorer 7, and Windows Media Player 11 in order to view content.

2. Declining the terms of agreement redirects users to the Japanese Yahoo! site. Accepting them, on the other hand, leads them to a page where the collection of pornographic videos is hosted. Below each video are buttons that all lead to the agreement page with a special movie offer.




3. The highlighted buttons are the only ones that seem to work, forcing users to only click these. Clicking non-highlighted buttons prompts the display of an alert instead.

4. Clicking the Play button leads to the download of the .HTA file, 754a.hta, which creates a process called mshta.exe in system32 that eventually opens a fake Windows Media Player. This leads to the display of an image wherein the Close or X button changes the screensaver. Even worse, this image appears every time infected systems start and is difficult to close.




 
5. Giving in to the persistent alerts directs users to an online registration page with a link attached to the text, “Video download page.” Clicking the link redirects to the site’s home page. Before landing on the page, however, it prompts the display of a fake Java loading page along with an alert that shows the terms and conditions. 



How has one-click billing fraud attacks evolved?


One-click billing fraud threats were initially confined to desktops. Last year, however, these also began targeting mobile platforms.

One-Click Billing Fraud Targets Mobile Users

While monitoring sites related to one-click billing fraud, Trend Micro uncovered one particular URL with a quick response (QR) code and text saying, “Please kindly visit this site by mobile phone.”

Users who visit the site and scans the given code via a mobile device prompts the display of an adult site. Confirming their ages and registering to the site triggers the appearance of a message saying the data from their mobile devices is being transferred to the site. Average mobile device users may find this message alarming enough to pay a registration fee.

One-Click Billing Fraud Android App

This one-click billing fraud attack via an Android app is trigged by browsing the blog, “Game Dunga,” via a mobile device. The said site has already changed its domain three times. Previous versions include links that lead to game-playing videos. Its latest version, however, features videos showing game players along with links that lead to adult-oriented sites.

Trying to view any of the videos triggers the display of a pop-up window that asks users to download an app detected by Trend Micro as ANDROIDOS_FAKETIMER.A. When downloaded, this malware steals user account information that is then sent to a remote malicious user.

To further convince affected users to pay, the malware also displays the information it stole from them. It also prompts the display of a pop-up window with the message, “We havent' received your payment. Therefore, based on our policy, we will have to charge you if you have not paid yet.” Based on our analysis of the app’s code, this message appears on users’ devices every 5 minutes.


How do HTAPORN and PORNY malware variants affect users?


HTAPORN and PORNY malware variants access malicious URLs, specifically related to pornographic content. PORNY malware variants particularly make use of several fake applications such as Windows Media Player, among others. If not removed, these alerts are continuously displayed.


What makes one-click billing fraud attacks successful?


Even though one-click billing fraud attacks are virtually unknown outside Japan, these have become a significant concern in the country. In fact, the frequency of incidents in Japan prompted several government agencies to keep track of cases. An estimated 400 new cases are reported each month although more cases remain unreported.

Like other contemporary web threats, one-click billing fraud attacks’ success could be attributed to their power to tap into human behaviors, as users end up paying anyway due to embarrasment or guilt.


How can users prevent this threat from affecting them?

Searching for pornographic content online is always risky. Cybercriminals know that these content can entice a lot of users. What makes one-click billing fraud attacks different is that these typically lead to several redirections before the actual download of supposed videos. Users should thus rethink their options and proceed with caution.

Mobile device users should regularly download updates provided by vendors and install security software in their devices. They must be cautious of downloading apps, especially those available in third-party app stores.


Are Trend Micro product users protected from one-click billing fraud attacks?


Trend Micro product users are protected from this threat via the Trend Micro™ Smart Protection Network™. Web Reputation Technology blocks access to malicious URLs, Email Reputation Technology prevents malicious spam from even reaching users’ inboxes, and File Reputation Technology detects and deletes malicious files from users’ systems.

Mobile device users are also protected via Trend Micro Mobile Security.


What are the implications of one-click billing fraud attacks?

The implications of one-click billing fraud attacks are similar to those of scareware, FAKEAV, and ransomware attacks—users incur actual monetary loss.

FAKEAV attacks persuade users to buy full versions of fake antivirus products for fear of system infection. One-click billing fraud attacks ask users to pay a registration fee with the aid of persistent alerts that are quite difficult to remove. Users end up paying fees amounting to as much as 99,800 Yen (approximately US$1,300).


FROM THE FIELD: EXPERT INSIGHTS


“One of the reasons for its recent prevalence is that it is easy to modify files in one-clickware to avoid being detected by security software. Cybercriminals behind one-click billing fraud are able to check if security companies can detect their programs and modify these files accordingly.” — Uchida Daisuke, Marketing Specialist JP