Threat Management, Network Security

Rogueware adopts SEO, nets more money for cybercriminals

Cybercriminal gangs spreading rogue anti-virus via affiliate networks are netting as much as $10,800 a day, according to the Cybercrime Intelligence Report released Monday by security firm Finjan. 

The report details how the criminal server it investigated compromised legitimate websites by injecting search engine optimization (SEO)-targeted terms, such as repetitive popular search keywords containing minor typos – for example, "Gogle," "mobile fone" or "Obbama." After search engines indexed these pages, they were displayed as top search results.

“Subsequently, the traffic volume to these compromised websites increased significantly, luring masses of potential buyers to the 'rogueware' offering,” the report stated.

This strategy resulted in nearly half a million Google searches leading to compromised sites, according to statistics found on the server during Finjan's 16-day research. Members of the affiliate network using the SEO strategy were rewarded for each successful redirection with 9.6 cents “a piece.” With 1.8 million unique users redirected to the rogue anti-virus software during that time, the network affiliate earned $172,800, or $10,800 per day.

One example of this type of operation is TrafficConverter2[dot]biz, which apparently has closed its doors following reports last week by Brian Krebs in his Security Fix column of The Washington Post. Considered one of the leading affiliate programs, the site paid people to distribute relatively worthless security software, such Antivirus2009 and Antivirus360. With the affiliate scam, each click-through garners commissions for spreading the "scareware" products.

As explained by Mikko Hypponen, chief researcher of F-Secure, on the security company's blog, the site worked like this: TrafficConverter2[dot]biz develops a rogue anti-virus product. This product purports to find viruses even on clean systems. However, the tool won't absolve the problem unless the user registers the product.

TrafficConverter2[dot]biz, Hypponen explained, does not market its software. Instead, all the marketing is done through affiliate networks. These affiliate networks run on botnets consisting of thousands of infected computers, which remotely install the rogue products on victims' computers.

End-users are then presented with warning pop-up messages about viruses on their computers and are then intimidated into registering the rogue pay-per-install program for $50 to "fix" their machine. Affiliates get $30 per customer, TrafficConverter2[dot]biz get $20.

As a result of Krebs' article exposing the questionable tactics of TrafficConverter2[dot]biz, MasterCard and Visa stopped processing payments issuing from the site, causing it to shut down.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.