New click fraud botnet discovered in Bosnia
August 11, 2010
Cybercrooks and spammers use large botnets to make money by sending email spam or launching DoS (denial of service) attacks and now has become a well-understood business model for them, and the number of such botnets are increasing rapidly.
But the controllers of those networks of compromised PCs and servers have recently discovered other ways of turning an illicit (read illegal) profit, including using rogue 'Internet traffic brokers' to defraud reputable brands of large and well-known companies.
Trend Micro recently discovered a new and rather "creative" click fraud scheme that sheds light onto this less well-understood but highly lucrative cyberscam. And the trend appears to be increasing at a fast rate, which worries more than one Internet security analyst.
To be sure, Trend Micro has been on the trail of one particular group of click fraud cyber-criminals for the past year-and-a-half to be exact. That group originally hails from Estonia, but there are also other connections with the U.K. which hosts a shell company for a so-called "click broker" selling Internet traffic that plays an important role in this complex botnet.
David Sancho, an Internet security researcher at Trend Micro Labs, explains that the scheme uses short-lived bots to redirect Internet traffic from compromised computers and servers. Web surfers seeking to visit Yahoo, for example, might be redirected via a third-party service before arriving at their destination, earning an unscrupulous 'traffic broker' a few cents in the process. But these few cents tend to add up very quickly which is the only thing those cyber crooks are interested in.
In other but similar cases, surfers visiting the New York Times, for example, may be served ads from an ad-broker other than the exclusive licensed agent, Double Click.
Each of these actions could bring in as little as one or two cents more, but with 150,000 bots in the network and multiple traffic hijacking incidents, revenues of millions of dollars or more a year now become possible. And that's just at the heart of the whole issue.
The scheme relies on short-lived bots, one of several factors that makes the overall fraud "not as conspicuous as spambots," Sancho explained.
The click fraud hinges on the use of browser Trojan software that redirects victims away from the sites they want to visit. Searches still work as normal but once victims click a search result or a sponsored link, they are instead re-directed to a foreign site so the hijacker can monetize fraudulent clicks via a traffic broker.
These middlemen then sell stolen or hijacked traffic back to legitimate Internet firms!
One traffic broker, Onwa Ltd. from St Petersburg, Russia, is clearly in on the scam because it develops "back-end software for obscure, fake search engines that form a facade for click-fraud" and that has no legitimate purpose whatsoever.
Onwa, which has been trading for the past five to six years and operates shell companies in the U.K. and the Seychelles Islands, also maintains its own infrastructure for spoofed Google websites, Trend Micro adds.
Legitimate traffic brokers have also been robbed in the scheme, using fake search sites that act as intermediaries for traffic actually generated via click-fraud from compromised PCs and servers. The Alexa ratings of these sites are sometimes artificially inflated using bots to make them appear more trustworthy.
Overall, browser hijacking is just the sort of behavior that prompts end users to clean up their PCs, so the typical click bot has a life expectancy of just five or six days at the most. The crooks compensate for this short life by constantly infecting new systems.
Since mid-July, more than two million computers have been infected so far with the browser hijacker in 2010, and Trend Micro expects this will reach as much as four to even five million computers by the end of the year.
"For example, we have seen that Yahoo search result clicks were resold back to Yahoo via an intermediate and bogus traffic broker. In another example, stolen Google clicks were resold to LookSmart," Trend Micro researcher Feike Hacquebord said.
These browser hijackers come with an added DNS component. Every day, the illicit group releases new malware samples that change systems’ DNS settings to a unique pair of foreign servers. The cybercrooks then use networks consisting of multiple servers that are hosted in various data centres around the world to pull off this aspect of the scheme.
Even after a browser hijacker component is purged from the infected machine, the DNS changer can still remain active so that hijacking traffic remains possible, increasing the lifespan of the bots.
The botnet replaces Double Click code with Clicksor ads once the rogue DNS component is activated, a form of stealth click-fraud script that is difficult to detect, but not impossible, according to Trend Micro.
Sancho indicated that it had passed a file on the illicit bot network to law enforcement authorities, but declined to discuss where any investigation might be heading at this time.
We will keep you posted on this, and other Internet security news as they happen.
Source: Trend Micro.
You can link to the Internet Security web site as much as you like.