Click fraud botnet unpicked

Browser hijack scam runs through rogue traffic broker


Cybercrooks use of botnets to make money by sending spam or launching denial of service attacks has become a well-understood business model.

But the controllers of networks of compromised PCs have other ways of turning an illicit profit, including using rogue traffic brokers to defraud reputable brands. Trend Micro's write-up of a click fraud scam sheds light onto this less well-known but highly lucrative cyberscam.

Trend Micro has been on the trail of one particular gang of click fraud crooks for over 18 months. The gang is originally from Estonia, although there are loose connections with the UK, which hosts a shell company for a click broker selling web traffic that plays an important role in the complex scam.

David Sancho, a security researcher at Trend Micro's Labs, explained that the scam uses short-lived bots to redirect web traffic from compromised machines. Surfers seeking to visit Yahoo, for example, might be redirected via a third-party service before arriving at their destination, earning an unscrupulous broker a few cents in the process. In other cases surfers visiting the New York Times, for example, may be served ads from an ad-broker other than the licensed agent, Double Click.

Each of these actions might rake in as little as one or two pence, but with 150,000 bots in the network and multiple traffic hijacking incidents revenues of millions of dollars a year become possible.

The scam relies on short-lived bots, one of several factors that makes the overall fraud "not as conspicuous as spambots," Sancho explained.

The fraud hinges on the use of browser Trojan malware that redirects victims away from the sites they want to visit. Searches still work as normal but once victims click a search result or a sponsored link, they are instead re-directed to a foreign site so the hijacker can monetize fraudulent clicks via a traffic broker. These middlemen sell stolen or hijacked traffic back to legitimate web firms.

"For example, we have seen that Yahoo! search result clicks were resold back to Yahoo! via an intermediate traffic broker. In another example, stolen Google clicks were resold to LookSmart," Trend Micro researcher Feike Hacquebord explains.

One traffic broker, Onwa Ltd from St Petersburg, Russia, is clearly in on the scheme because it develops "back-end software for obscure, fake search engines that form a facade for click-fraud" that has no legitimate purpose. Onwa, which has been trading since at least 2005 and operates shell companies in the United Kingdom and Seychelles, also maintains an its own infrastructure for spoofed Google websites, Trend Micro reports.

Legitimate traffic brokers have also been roped into the scam, using fake search sites that act as intermediaries for traffic actually generated via click-fraud from compromised machines. The Alexa ratings of these sites are sometimes artificially inflated using bots to make them appear more trustworthy.

Browser hijacking is just the sort of behaviour that prompts end users to clean up their machines, so the typical bot has a life expectancy of just six days. The crooks compensate for this short life by constantly infecting new systems. More than two million computers have been infected with the browser hijacker so far this year, and Trend expects this will reach as much as four million by the end of 2010.

These browser hijackers come with an added DNS component. Every day, the gang releases new malware samples that change systems’ DNS settings to a unique pair of foreign servers. The cybercrooks use networks consisting of multiple servers that are hosted in various data centres around the world to pull off this aspect of the scam.

Even after a browser hijacker component is purged from the infected machine, the DNS changer can still remain active so that hijacking traffic remains possible, increasing the lifespan of the bots. The botnet replaces Double Click with Clicksor ads once the rogue DNS component is activated, a form of stealth click-fraud that is difficult to detect.

Trend's Sancho indicated that it had passed a file on the scam to law enforcement authorities, but declined to discuss where any investigation might be heading.

A full write-up of the scam, complete with illustrations, can be found in a blog post by Trend Micro here. ®

Similar topics

Broader topics

Narrower topics


Other stories you might like

  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading
  • World Economic Forum wants a global map of online crime
    Will cyber crimes shrug off Atlas Initiative? Objectively, yes

    RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.

    The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.  

    This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals' supply chain to develop better mitigation strategies and security controls for their customers. 

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • Never fear, the White House is here to tackle web trolls
    'No one should have to endure abuse just because they are attempting to participate in society'

    A US task force aims to prevent online harassment and abuse, with a specific focus on protecting women, girls and LGBTQI+ individuals.

    In the next 180 days, the White House Task Force to Address Online Harassment and Abuse will, among other things, draft a blueprint on a "whole-of-government approach" to stopping "technology-facilitated, gender-based violence." 

    A year after submitting the blueprint, the group will provide additional recommendations that federal and state agencies, service providers, technology companies, schools and other organisations should take to prevent online harassment, which VP Kamala Harris noted often spills over into physical violence, including self-harm and suicide for victims of cyberstalking as well mass shootings.

    Continue reading
  • Interpol anti-fraud operation busts call centers behind business email scams
    1,770 premises raided, 2,000 arrested, $50m seized

    Law enforcement agencies around the world have arrested about 2,000 people and seized $50 million in a sweeping operation crackdown of social engineering and other scam operations around the globe.

    In the latest action in the ongoing "First Light", an operation Interpol has coordinated annually since 2014, law enforcement officials from 76 countries raided 1,770 call centers suspected of running fraudulent operations such as telephone and romance scams, email deception scams, and financial crimes.

    Among the 2,000 people arrested in Operation First Light 2022 were call center operators and fraudsters, and money launderers. Interpol stated that the operation also saw 4,000 bank accounts frozen and 3,000 suspects identified.

    Continue reading
  • Microsoft seizes 41 domains tied to 'Iranian phishing ring'
    Windows giant gets court order to take over dot-coms and more

    Microsoft has obtained a court order to seize 41 domains used by what the Windows giant said was an Iranian cybercrime group that ran a spear-phishing operation targeting organizations in the US, Middle East, and India. 

    The Microsoft Digital Crimes Unit said the gang, dubbed Bohrium, took a particular interest in those working in technology, transportation, government, and education sectors: its members would pretend to be job recruiters to lure marks into running malware on their PCs.

    "Bohrium actors create fake social media profiles, often posing as recruiters," said Amy Hogan-Burney, GM of Microsoft's Digital Crimes Unit. "Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware."

    Continue reading
  • Cloud services proving handy for cybercriminals, SANS Institute warns
    Flying horses, gonna pwn me away...

    RSA Conference Living off the land is so 2021. These days, cybercriminals are living off the cloud, according to Katie Nickels, director of intelligence for Red Canary and a SANS Certified Instructor.

    "It's not enough to pay attention to the operating systems, the endpoints, said Nickels, speaking on a SANS Institute panel about the most dangerous new attack techniques at RSA Conference. "Adversaries, a lot of their intrusions, are using cloud services of different types."  

    And yes, living off the land (or the cloud), in which intruders use legitimate software and cloud services to deploy malware or spy on corporations and other nefarious activities, isn't a new type of attack, Nickels admitted. "But what's new here is the levels to which using cloud services [for cyberattacks] has risen." 

    Continue reading

Biting the hand that feeds IT © 1998–2022