Rogueware adopts SEO, nets more money for cybercriminals

Share this article:

Cybercriminal gangs spreading rogue anti-virus via affiliate networks are netting as much as $10,800 a day, according to the Cybercrime Intelligence Report released Monday by security firm Finjan. 

The report details how the criminal server it investigated compromised legitimate websites by injecting search engine optimization (SEO)-targeted terms, such as repetitive popular search keywords containing minor typos – for example, "Gogle," "mobile fone" or "Obbama." After search engines indexed these pages, they were displayed as top search results.

“Subsequently, the traffic volume to these compromised websites increased significantly, luring masses of potential buyers to the 'rogueware' offering,” the report stated.

This strategy resulted in nearly half a million Google searches leading to compromised sites, according to statistics found on the server during Finjan's 16-day research. Members of the affiliate network using the SEO strategy were rewarded for each successful redirection with 9.6 cents “a piece.” With 1.8 million unique users redirected to the rogue anti-virus software during that time, the network affiliate earned $172,800, or $10,800 per day.

One example of this type of operation is TrafficConverter2[dot]biz, which apparently has closed its doors following reports last week by Brian Krebs in his Security Fix column of The Washington Post. Considered one of the leading affiliate programs, the site paid people to distribute relatively worthless security software, such Antivirus2009 and Antivirus360. With the affiliate scam, each click-through garners commissions for spreading the "scareware" products.

As explained by Mikko Hypponen, chief researcher of F-Secure, on the security company's blog, the site worked like this: TrafficConverter2[dot]biz develops a rogue anti-virus product. This product purports to find viruses even on clean systems. However, the tool won't absolve the problem unless the user registers the product.

TrafficConverter2[dot]biz, Hypponen explained, does not market its software. Instead, all the marketing is done through affiliate networks. These affiliate networks run on botnets consisting of thousands of infected computers, which remotely install the rogue products on victims' computers.

End-users are then presented with warning pop-up messages about viruses on their computers and are then intimidated into registering the rogue pay-per-install program for $50 to "fix" their machine. Affiliates get $30 per customer, TrafficConverter2[dot]biz get $20.

As a result of Krebs' article exposing the questionable tactics of TrafficConverter2[dot]biz, MasterCard and Visa stopped processing payments issuing from the site, causing it to shut down.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.