During our monitoring of the Japanese online scam known as one-click fraud, we recently observed a change in tactics used by the criminals behind it: the use of websites that require zero clicks to “subscribe” visitors to pornographic sites.
One-click fraud has existed for over a decade now and, like other persistent online threats, has evolved over time. Typically, one-click fraud attempts to trick users into subscribing to a fake adult video service with a single click, although variants requiring two, three, and even four clicks have also been observed. In recent years, the most notable changes to the scam were introduced around the beginning of the year and this year was no different with the start of 2016 seeing the emergence of zero-click fraud.
The scam
The scam begins when a user comes across a pornographic site that claims to crawl and index pornographic videos found on the internet.
Figure 1. Website claiming to index pornographic videos
If a user clicks on one of the video links, their browser is redirected to another site and they are shown what looks like a video player.
Figure 2. Fake adult video website
Typically during this type of scam, users are required to click on the video to view the content or click on an “OK” button acknowledging that they are 18 or older, before they are shown the page telling them they have subscribed to the service. Hidden somewhere on the page—typically at the very bottom, meaning users would have to scroll down—is an explanation about the cost of the service. However, on the recently observed zero-click sites, the pages automatically jump to the subscription page without any user interaction. As can be confirmed in the HTML source code, a simple meta refresh tag is used to fetch a different URL following a refresh of the web page after one second.
Figure 3. A simple meta refresh tag is used to fetch a different URL
The user is falsely led to believe that they have signed up for the service without any warning whatsoever and are now required to pay a fee of, in some cases, the equivalent of over US$2,000. The victim is also given the choice to call a support center within 24 hours, if they subscribed by accident.
Figure 4. Pop-up support center phone number to inquire about subscription
In many instances of this scam, dial-up windows persistently pop up on the user’s phone displaying the support center number. This is an attempt to lure victims, who may be desperate to unsubscribe from the service, into calling the number. The site states users can call to automatically unsubscribe themselves and that the support center is open around the clock.
Figure 5. Dial-up dialog with support center number
Mitigation
It should be noted that the “subscription” in this scam is a lie and should be ignored. Users should never call the support center number as the scammers may attempt to persuade the caller into making a payment. In addition, the phone number used to the dial the support center will likely be logged and used for further fraudulent activity. Users should also refrain from sending any emails to the provided address for the same reasons.
Symantec recommends installing a security app such as Norton Mobile Security to protect against fraudulent sites such as the zero-click fraud sites discussed in this blog. Norton Mobile Security blocks these fraudulent sites with Norton Safe Web.
To find out more about one-click fraud, check out our other blogs: