In a new cyber-crime report, security vendor Finjan found a traffic management server that showed a ring of cyber-crooks redirected 1.8 million users to a site that installed rogue anti-virus over the course of two weeks, raking in an average of $10,800 a day. There are several groups involved in similar schemes, Finjan reports.
The stock market may be struggling, but the market for purveyors of rogue anti-virus is going strong.
In a report, researchers at Finjan offered a peek into the
inner-workings of the market for rogue anti-virus. The company
focused on a group of cyber-crooks running a rogueware
affiliate network that hauled in an average of $10,800 a
day in profits.
The affiliate network is divided into two teams, one responsible for
compromising legitimate Websites and injecting Web pages with popular
keywords and typos. These pages redirect users to Websites owned by
Team B, which tries to install the rogue AV on the user's desktop.
"Team B pays Team A for every user Team A manage to redirect to Team B Website," explained Finjan CTO Yuval Ben-Itzhak.
The profits can be impressive. A look at a traffic management server
based in the Ukraine found 1.8 million users were redirected to the
rogue anti-virus software site during a 16-day period. The installation
rates varied from 7 percent to as high as 12 percent. Some 1.79
percent of the victims who installed the AV paid $50 for the fake
software, with 58 to 90 percent flowing back to the network.
The group behind this operation relied heavily on search engine optimization
Fellow security vendors Symantec and McAfee have found similar
SEO-poisoning techniques being used in malware campaigns, and said the
trend has been increasing since the beginning of the year.
To further improve their chances of placing high in a search, the
hackers inserted SEO targeted pages to compromised Websites. According
to Finjan, the injected pages were actually PHP scripts dynamically
generating search keywords with typos and popular terms. The script is
based on a parameter passed in the URL,
hxxp://[compromised-domain]/talk/page.php?id=1503. Each of the
dynamically generated pages was linked to other dynamically generated
pages to increase the probability the search engine would index even
more keywords for the compromised sites.
The end result was users searching for popular keywords (with or
without typos) on search engines were sometimes directed to a malicious
page that tried to install the rogueware on their PCs.
"In the last two months we have seen these SEO techniques a
lot," Ben-Itzhak said. "It is happening on legit Websites that
were compromised and fill the Web page with keywords. These pages trick
the search engine spider."
"I believe there are a few dozen groups doing that today," the
CTO continued. "Having the great numbers they make, the number of
groups increase and their techniques are improving."