One-click fraud in Japan typically refers to a type of scam that involves deceiving users into subscribing to adult video services. The fraud has been in existence for over a decade and shows no sign of disappearing. One-click fraud made its debut on smartphones in 2011 and has most heavily affected users of both Android and iOS, but it’s not unique to those operating systems and can affect any smartphone. The scam has developed into one of the most serious cyberfraud issues on the mobile platform. For further details about the scam, you can read my previous blog.
We have observed various tactics used in the scam throughout the years, but most scams simply trick the user into making a click or two in an attempt to view a video in order to falsely register the user. In most cases, the web page can be closed within the browser and the attempt to scam the user ends there. However, Symantec has recently come across a new variant that cannot be closed as easily because it holds the browser to ransom.
Users may come across this type of scam when searching for Japanese adult-related content on the internet or by clicking on links in spam. When a user clicks on a particular image of a video on a pornographic website, the browser is redirected to another website that actually hosts this scam.
Figure 1. Adult website containing an image of a video leading to a fraudulent site
Figure 2. Fraudulent site displaying a video
The browser then renders the content of the fraudulent page and the scripts included automatically open a page stating that the registration process has been completed, even though the user merely clicked on a video.
Figure 3. Registration page
A pop-up window then appears, providing details about registration such as the membership ID, the fee, and the phone number of the customer center.
Figure 4. Pop-up window with registration details
After the user clicks OK to close the window, another window pops up, prompting the user to make a call to a predetermined number. This number is identical to the number of the customer center provided in the previous pop-up window.
Figure 5. Pop-up window prompting the user to make a call
When the user tries to close this pop-up window, the previous registration window once again opens. These two windows keep reappearing in a loop and in essence the browser is taken hostage by the website. The smartphone itself and the rest of the apps installed can be used, but the browser is useless at this point.
Because not much can be done to the browser to close the scam site or even open a new tab to visit other websites, some users may be pressured into making the call to the customer center of the online service. Once this is done, attempts will be made to persuade them into paying the 99,800 yen (US$1,200) fee to use the pornography service for a year. At the time of research, the link on the website to the page that supposedly allows users to view pornographic videos was broken and the page was not found.
For those who happen to accidentally visit the site and get automatically registered, they can try to remove the site and the pop-up windows from the browser by deleting the cache, or data, of the browser—doing this would allow a refresh of the browser app. The procedure varies depending on the operating system and the browser app used. For instance, on iOS, a user has to clear the cache of the stock browser in the settings of Safari, while on Android, a user has to clear data in the browser app’s settings. If clearing the cache does not solve the issue or the procedure cannot be performed, the browser app may have to be reinstalled.
Figure 6. Clearing the data on Android and history and website data on iOS
Although this new browser-hijacking one-click fraud is so far limited to certain sites, the new scheme may catch on and become the new norm depending on how profitable the tactic is. Symantec strongly recommends users not to call the customer center of the video service. Norton Mobile Security users are protected against this fraudulent site with the product’s web protection feature powered by Norton’s Safe Web service.