Rogueware adopts SEO, nets more money for cybercriminals

Share this article:

Cybercriminal gangs spreading rogue anti-virus via affiliate networks are netting as much as $10,800 a day, according to the Cybercrime Intelligence Report released Monday by security firm Finjan. 

The report details how the criminal server it investigated compromised legitimate websites by injecting search engine optimization (SEO)-targeted terms, such as repetitive popular search keywords containing minor typos – for example, "Gogle," "mobile fone" or "Obbama." After search engines indexed these pages, they were displayed as top search results.

“Subsequently, the traffic volume to these compromised websites increased significantly, luring masses of potential buyers to the 'rogueware' offering,” the report stated.

This strategy resulted in nearly half a million Google searches leading to compromised sites, according to statistics found on the server during Finjan's 16-day research. Members of the affiliate network using the SEO strategy were rewarded for each successful redirection with 9.6 cents “a piece.” With 1.8 million unique users redirected to the rogue anti-virus software during that time, the network affiliate earned $172,800, or $10,800 per day.

One example of this type of operation is TrafficConverter2[dot]biz, which apparently has closed its doors following reports last week by Brian Krebs in his Security Fix column of The Washington Post. Considered one of the leading affiliate programs, the site paid people to distribute relatively worthless security software, such Antivirus2009 and Antivirus360. With the affiliate scam, each click-through garners commissions for spreading the "scareware" products.

As explained by Mikko Hypponen, chief researcher of F-Secure, on the security company's blog, the site worked like this: TrafficConverter2[dot]biz develops a rogue anti-virus product. This product purports to find viruses even on clean systems. However, the tool won't absolve the problem unless the user registers the product.

TrafficConverter2[dot]biz, Hypponen explained, does not market its software. Instead, all the marketing is done through affiliate networks. These affiliate networks run on botnets consisting of thousands of infected computers, which remotely install the rogue products on victims' computers.

End-users are then presented with warning pop-up messages about viruses on their computers and are then intimidated into registering the rogue pay-per-install program for $50 to "fix" their machine. Affiliates get $30 per customer, TrafficConverter2[dot]biz get $20.

As a result of Krebs' article exposing the questionable tactics of TrafficConverter2[dot]biz, MasterCard and Visa stopped processing payments issuing from the site, causing it to shut down.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

President signs Executive Order to improve payment security

President signs Executive Order to improve payment security

President Obama signed an Executive Order at the Consumer Financial Protection Bureau calling for enhanced security measures, including microchips and PINs.

Security, tech firm coalition fights Hikit actors, other advanced groups

Security, tech firm coalition fights Hikit actors, other ...

The coalition began as an effort to stop the spread of the Hikit trojan, previously known for targeting U.S. defense contractors.

Phishing email delivers keylogger malware, also takes screenshots

Phishing email delivers keylogger malware, also takes screenshots

The malware has various features, including the ability to start persistently, take screenshots and bypass user access controls.