Rogueware adopts SEO, nets more money for cybercriminals

Share this article:

Cybercriminal gangs spreading rogue anti-virus via affiliate networks are netting as much as $10,800 a day, according to the Cybercrime Intelligence Report released Monday by security firm Finjan. 

The report details how the criminal server it investigated compromised legitimate websites by injecting search engine optimization (SEO)-targeted terms, such as repetitive popular search keywords containing minor typos – for example, "Gogle," "mobile fone" or "Obbama." After search engines indexed these pages, they were displayed as top search results.

“Subsequently, the traffic volume to these compromised websites increased significantly, luring masses of potential buyers to the 'rogueware' offering,” the report stated.

This strategy resulted in nearly half a million Google searches leading to compromised sites, according to statistics found on the server during Finjan's 16-day research. Members of the affiliate network using the SEO strategy were rewarded for each successful redirection with 9.6 cents “a piece.” With 1.8 million unique users redirected to the rogue anti-virus software during that time, the network affiliate earned $172,800, or $10,800 per day.

One example of this type of operation is TrafficConverter2[dot]biz, which apparently has closed its doors following reports last week by Brian Krebs in his Security Fix column of The Washington Post. Considered one of the leading affiliate programs, the site paid people to distribute relatively worthless security software, such Antivirus2009 and Antivirus360. With the affiliate scam, each click-through garners commissions for spreading the "scareware" products.

As explained by Mikko Hypponen, chief researcher of F-Secure, on the security company's blog, the site worked like this: TrafficConverter2[dot]biz develops a rogue anti-virus product. This product purports to find viruses even on clean systems. However, the tool won't absolve the problem unless the user registers the product.

TrafficConverter2[dot]biz, Hypponen explained, does not market its software. Instead, all the marketing is done through affiliate networks. These affiliate networks run on botnets consisting of thousands of infected computers, which remotely install the rogue products on victims' computers.

End-users are then presented with warning pop-up messages about viruses on their computers and are then intimidated into registering the rogue pay-per-install program for $50 to "fix" their machine. Affiliates get $30 per customer, TrafficConverter2[dot]biz get $20.

As a result of Krebs' article exposing the questionable tactics of TrafficConverter2[dot]biz, MasterCard and Visa stopped processing payments issuing from the site, causing it to shut down.

Share this article:

Sign up to our newsletters

More in News

ICO fines U.K. travel firm £150,000 for 2012 breach

Data on more than one million credit and debit cards was pilfered in the 2012 breach of a system Think W3 Limited.

Firefox 32 feature could cut undetected malware downloads 'in half'

Mozilla plans to introduce a feature in Firefox 32 that, based on preliminary testing, could cut the amount of undetected malware downloads in half.

EFF asks court to find NSA internet spying a violation of Fourth Amendment

EFF asks court to find NSA internet spying ...

Complete with a colorful graphic, the EFF showed a federal court how the NSA essentially runs a digital dragnet that can pick up innocent Americans.