One-click fraud is by no means new. In Japan, this type of scam—in which victims are tricked into clicking on some tempting offer and then coerced into registering for certain services, usually pornography-related—has existed for over a decade now. A single click is all it takes for the user to get infected by malware. The user is then subjected to annoying, and in some cases embarrassing, pop-up windows until they pay a registration fee for whatever service is being pushed. Most recently, the scam saw browsers getting hijacked or locked after enticing smartphone users to sign up for adult video subscriptions on their devices.
In the past, one-click fraud has been mainly focused towards Japanese-speaking users. However, now we have observed a new campaign that is not only aimed at the usual Japanese-speaking targets but is also branching out and targeting Chinese speakers. It seems that one-click fraudsters have decided to become multilingual in an effort to expand their horizons and explore new market opportunities.
More specifically, the campaign is targeting users in Hong Kong as we have observed the fraudsters using pop-up windows and registration pages written in Chinese and asking for payment in Hong Kong dollars. In the last month alone, we blocked over 8,000 such cases which could have potentially netted the cybercriminals a sum of HK$40 million which is equivalent to over US$5 million.
How the scam works
The campaign involves first tricking the user to download and run a seemingly innocuous HTML Application (HTA) file.
Users may encounter this attack when visiting adult websites that show a seemingly legitimate video player or a window with an age verification checker.
Figure 1. A legitimate-looking video player on an adult site
When users click on the fake video player, an HTA file is downloaded onto the computer. The file then displays a dialog box asking the user for permission to run.
Figure 2. The downloaded HTA file displays a dialog box asking the user for permission to run
Once the user gives permission for the HTA file to run, the video starts to play—in the background, meanwhile, the malicious script inside the HTA file is executed. The file creates the following registry entry that displays a non-terminating pop-up window on the user’s desktop:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"webutcry" = "mshta "%AllUsersProfile%\Application Data\utcry\2VMM509W.hta""
The pop-up window asks the user to pay to sign up to an adult website. If the user pays, they are told the pop-up window will be removed. The window also features a timer that supposedly counts down to when the offer expires.
Figure 3. Pop-up window. Note that some of the content is written in English, Hong Kong’s second official language
This behavior is very similar to ransomware as the user’s desktop is effectively held for ransom—even if the user restarts the computer, the pop-up window will still be displayed.
Figure 4. Demanding payment in Cantonese and English
The threat creates different registry entries, such as the one mentioned previously, referring to the URL where the pop-up image and other data are downloaded from and where they are stored locally.
Figure 5. Registration page asking for 5000HKD (US$650)
This attack only affects Internet Explorer users as HTA files need the mshta.exe engine to execute code, which is available only in Internet Explorer. However, considering that HTA files have more privileges than HTML files, as they run as fully trusted applications without sandboxing, this could allow attackers to abuse the computer. As well as this, the mshta.exe engine has permission to write files and can add and delete registry entries.
The malicious script found inside the HTA file is obfuscated and is de-obfuscated when executed.
Figure 6. Obfuscated script inside the HTA file
The malicious script also creates the registry entry responsible for the non-terminating pop-up window.
Figure 7. De-obfuscated script responsible for addition of registry entry
The script also creates two ActiveX objects in order to check whether the user has previously been scammed by this campaign and to launch the process that enables the non-terminating pop-up window to be displayed.
Figure 8. Script creates two ActiveX objects
One-click, more than one language
One-click fraud has been around for more than a decade in Japan, however, as with any business model, growth and expansion is key to remaining successful. By mainly targeting one country, the cybercriminals are limiting the amount of profit they can make and the targeted population eventually wise up to the scam, making it less effective. The fraudsters behind this campaign seem to realize this and have begun to use different languages in order to branch out into other markets. Given the relative ease with which they could localize their scams, we expect to see more one click-fraud being targeted at other languages and locations in the future.
Users are advised to avoid downloading and running HTA files from unknown sources. Infected users can delete the registry entry and any files dropped by the script to remove the pop-up window.
Symantec and Norton customers are protected from this attack by the following detections: