The One-Click Billing fraud, a scheme known to target PC users in Japan, now appears to target smartphone users as well.
The scheme, as its name suggests, tricks a victim into registering and paying for a certain service after being falsely led into a specific website. Instances of successful attacks have been increasing in Japan since 2004, which already totaled to 903 inquiries to Information-technology Promotion Agency Japan in November 2009.
A typical attack involves a spam message sent to the victim, which includes a link to a website that hosts free videos. The website lists videos with sensational titles to catch users’ attention. Trying to view any of the video displays a trailer, which explains why viewing it is free.
Once the trailer ends, a link that says “view more” is displayed, which the user must click to supposedly see the video they originally wanted to view. Instead, users are redirected to a page that they should register first to become a member of the site, and is told to pay a fee. The window that informs users to pay will continuously display on the screen unless users pay the said amount.
During our monitoring of sites related to this threat, I found one interesting URL that contains a Quick Response (QR) code and a text that says “Please kindly visit this site by mobile phone”.
When I scanned the code, I found that it leads to the same URL as the one that displayed the QR code, except that it displays an adult site when accessed via a mobile device.
Checking the site’s Terms of Service, it shows that the site charges a service fee of 49,800 Yen and is set to immediately charge a user once he or she has been registered to the site.
Clicking any of the videos in the site leads to an age verification page. Once users confirm their age and clicks “Register”, it triggers another display that says that data from the mobile device is now being transferred and registered.
Now, one can imagine how alarming the message can be to an average user, given that the website involved is an adult site. However, the fortunate truth is that the site is not capable of retrieving information from the device and sending it to a remote website. The site simply displays information about the device such as the IP address, as well as a customer ID and a device ID supposedly assigned to the user, in an attempt to scare them into paying.
However, what makes this fraud noteworthy is that users may be convinced that their information were really sent to the adult site. In turn, they may be willing to pay the specified amount, fearing that not doing may cause them trouble and embarrassment.
So why are cybercriminals who conduct this kind of scheme targeting smartphone users? My assumption is that they are leveraging the fact that mobile device users are still not fully aware that they are becoming a primary target of cybercrime. Also, smartphones have small screens causing the URLs to not be fully displayed, which makes it difficult for users to verify if the URL is malicious or not. Also, smartphone users tend to easily save their personal info such as private pictures, address and schedule etc. onto these devices, making these prime targets of information theft.
With this, users are strongly advised to consider investing in an effective mobile security app. For iPhone and Android users, you can try the Trend Micro Smart Surfing for iPhone and Trend Micro Mobile Security for Android.