Feeds

Click fraud botnet unpicked

Browser hijack scam runs through rogue traffic broker

Using blade systems to cut costs and sharpen efficiencies

Cybercrooks use of botnets to make money by sending spam or launching denial of service attacks has become a well-understood business model.

But the controllers of networks of compromised PCs have other ways of turning an illicit profit, including using rogue traffic brokers to defraud reputable brands. Trend Micro's write-up of a click fraud scam sheds light onto this less well-known but highly lucrative cyberscam.

Trend Micro has been on the trail of one particular gang of click fraud crooks for over 18 months. The gang is originally from Estonia, although there are loose connections with the UK, which hosts a shell company for a click broker selling web traffic that plays an important role in the complex scam.

David Sancho, a security researcher at Trend Micro's Labs, explained that the scam uses short-lived bots to redirect web traffic from compromised machines. Surfers seeking to visit Yahoo, for example, might be redirected via a third-party service before arriving at their destination, earning an unscrupulous broker a few cents in the process. In other cases surfers visiting the New York Times, for example, may be served ads from an ad-broker other than the licensed agent, Double Click.

Each of these actions might rake in as little as one or two pence, but with 150,000 bots in the network and multiple traffic hijacking incidents revenues of millions of dollars a year become possible.

The scam relies on short-lived bots, one of several factors that makes the overall fraud "not as conspicuous as spambots," Sancho explained.

The fraud hinges on the use of browser Trojan malware that redirects victims away from the sites they want to visit. Searches still work as normal but once victims click a search result or a sponsored link, they are instead re-directed to a foreign site so the hijacker can monetize fraudulent clicks via a traffic broker. These middlemen sell stolen or hijacked traffic back to legitimate web firms.

"For example, we have seen that Yahoo! search result clicks were resold back to Yahoo! via an intermediate traffic broker. In another example, stolen Google clicks were resold to LookSmart," Trend Micro researcher Feike Hacquebord explains.

One traffic broker, Onwa Ltd from St Petersburg, Russia, is clearly in on the scheme because it develops "back-end software for obscure, fake search engines that form a facade for click-fraud" that has no legitimate purpose. Onwa, which has been trading since at least 2005 and operates shell companies in the United Kingdom and Seychelles, also maintains an its own infrastructure for spoofed Google websites, Trend Micro reports.

Legitimate traffic brokers have also been roped into the scam, using fake search sites that act as intermediaries for traffic actually generated via click-fraud from compromised machines. The Alexa ratings of these sites are sometimes artificially inflated using bots to make them appear more trustworthy.

Browser hijacking is just the sort of behaviour that prompts end users to clean up their machines, so the typical bot has a life expectancy of just six days. The crooks compensate for this short life by constantly infecting new systems. More than two million computers have been infected with the browser hijacker so far this year, and Trend expects this will reach as much as four million by the end of 2010.

These browser hijackers come with an added DNS component. Every day, the gang releases new malware samples that change systems’ DNS settings to a unique pair of foreign servers. The cybercrooks use networks consisting of multiple servers that are hosted in various data centres around the world to pull off this aspect of the scam.

Even after a browser hijacker component is purged from the infected machine, the DNS changer can still remain active so that hijacking traffic remains possible, increasing the lifespan of the bots. The botnet replaces Double Click with Clicksor ads once the rogue DNS component is activated, a form of stealth click-fraud that is difficult to detect.

Trend's Sancho indicated that it had passed a file on the scam to law enforcement authorities, but declined to discuss where any investigation might be heading.

A full write-up of the scam, complete with illustrations, can be found in a blog post by Trend Micro here. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.