Click Fraud Trojan Targets Google, Yahoo
Top search engines Google, Yahoo, along with China’s Baidu, received attention from the ongoing work of click fraudsters distributing a Trojan to boost ad click revenue.
A continuing process of nearly daily updates keeps one Trojan in demand from scammers determined to rip off revenue sharing programs like AdSense.
The Trojan described by security vendor Symantec drops several files and a browser helper object onto a PC. Periodically, the browser helper object opens URLs tied to affiliate IDs at search engines, or performs searches for certain keywords.
Either way, the Trojan helps the affiliate earn clicks, leading to revenue. Symantec identified several dishonest affiliates based on configuration files downloaded by the Trojan; URLs for Google and Baidu were among the ones discovered as well.
“We can tell the authors of Trojan.Trafbrush consist of a well managed team. For their hard work, they must be paid well by their affiliates and the affiliates must deem it worthwhile,” Symantec researcher Chen Yu wrote.
Cybersquatting and Abuse to Mainstream Consumer Brands Intensified in 2007
MarkMonitor®, the global leader in enterprise brand protection, today released the company’s latest Brandjacking Index™, which finds that cybersquatting is the most common form of brand abuse—with a 33 percent jump in one year—and that brandjackers are abusing an expanding range of brands that consumers use everyday. The report also shows recent and significant drops in domain kiting and related pay-per-click fraud, indicating that aggressive legal action on the part of brandholders as well as ICANN scrutiny are proving effective in deterring specific brandjacking techniques. In addition, phishing techniques and targets continued in 2007 to evolve with a 533% increase in phish attacks against the retail and services sector.
Report: Web browsers under siege from organised crime
BM today released the findings of the 2007 X-Force Security report, detailing a disturbing rise in the sophistication of attacks by criminals on Web browsers worldwide. According to IBM, by attacking the browsers of computer users, cybercriminals are now stealing the identities and controlling the computers of consumers at a rate never before seen on the Internet.
The study finds that a complex and sophisticated criminal economy has developed to capitalise on Web vulnerabilities. Underground brokers are delivering tools to aid in obfuscation, or camouflaging attacks on browsers, so cybercriminals can avoid detection by security software. In 2006, only a small percentage of attackers employed camouflaging techniques, but this number soared to 80 percent during the first half of 2007, and reached nearly 100 percent by the end of the year. The X-Force believes the criminal element will contribute to a proliferation of attacks in 2008.
Using these techniques, cybercriminals can infiltrate a user’s system and steal their IDs and passwords or obtain personal information like National Identification numbers, Social Security numbers and credit card information. When attackers invade an enterprise machine, they could steal sensitive company information or use the compromised machine to gain access to other corporate assets behind the firewall.
Flash Attack Could Take Over Your Router
The code, published over the weekend by researchers Adrian Pastor and Petko Petkov, exploits features in two technologies: The Universal Plug and Play (UPnP) protocol, which is used by many operating systems to make it easier for them to work with devices on a network; and Adobe Systems’ Flash multimedia software.
By tricking a victim into viewing a malicious Flash file, an attacker could use UPnP to change the primary DNS (Domain Name System) server used by the router to find other computers on the Internet. This would give the attacker a virtually undetectable way to redirect the victim to fake Web sites. For example, a victim with a compromised router could be taken to the attacker’s Web server, even if he typed Citibank.com directly into the Web browser navigation bar.
“The most malicious of all malicious things is to change the primary DNS server,” the researchers wrote. “That will effectively turn the router and the network it controls into a zombie which the attacker can take advantage of whenever they feel like it.”
Expedia.com, Rhapsody.com serving up malicious code
Legitimate Web sites are increasingly becoming unwitting sources of malware. Security experts report that Expedia.com and Rhapsody.com today have been serving up banner ads that attempt to get visitors to download fake antispyware, while embassy Web sites in Ukraine and Russia have also been spewing out attack code this week.
“Expedia and Rhapsody are both serving up Shockwave ads with malicious code,” says Jamz Yaneza, research project manager at Trend Micro, which has shared its findings with both online e-commerce companies.
At Expedia.com, a banner with malware dubbed SNF_ADHIJACK.A has tried to direct anyone who clicks on it to a site to install a Trojan called TROJ_GIDA.A, Yaneza says.
“These Shockwave banner ads being served are malicious,” says Yaneza, who notes that the content banner may appear to be from a legitimate source.
Click Fraud: A Double Threat
How can advertisers actually begin to help networks stamp out the problems of click fraud? The CEO of ClickFacts shares his answers.
In recent months click fraud has taken an insidious turn, expanding from a marketer’s nightmare to one that threatens anyone unlucky enough to click on the wrong search ad or land on a compromised web page. Fraudsters now embed malicious programs right into landing pages, banners and PPC ads delivered via ad networks like Google and Yahoo! and even hijack entire brands through ‘redirects’, which spoof legitimate pages but are full of malicious content. Brands victimised by these attacks suffer immediate financial damage to their campaigns, loss of customers and, worse yet, damage to their hard-earned reputations as a result.
As if that wasn’t enough, advertisers are still vexed by a near total lack of visibility into the actual performance of their PPC campaigns. None of the major ad networks release the necessary information to help advertisers tweak their campaigns for the best returns, and more often than not click fraud becomes a ‘write off’. And there is zero transparency and accountability in regard to the performance of affiliate networks — so advertisers just do not know where (or even if) their ads are being shown. Of course, many don’t care so long as they see a return, but those worried about brand image wouldn’t want their ads to appear on pages with questionable content, and even fewer advertisers want to be associated with adware, spyware and popups. This double threat — brand equity lost to the ravages of malware and a complete lack of campaign accountability — still make PPC campaigns risky business for brand marketers.
Save $11.6B With These Click Fraud Safety Nets
As malware and other cyberfraud technologies become more insidious, marketers stand to lose not just money but consumer trust as well. ClickFacts’ CEO explains what’s hurting the PPC industry and how to fight back.
Imagine every time you launch a browser to conduct a search you receive the following message: “Warning: searching online may result in the loss of personal information and even your identity. Proceed at your own risk.”
While this isn’t our reality yet, these flags might become commonplace if a growing crowd of sophisticated, unscrupulous fraudsters get their way.
The future of online commerce continues to get brighter, but is also being threatened. Research firm comScore recently released its ecommerce update for the first 51 days of the 2007 holiday season (November 1 – December 21) and marked a 19 percent increase over 2006 numbers for the same period — from $22 to $26.29 billion. Clearly, people are flocking to the web to do their business. The online channel’s fast growth is a tremendous validation for online advertising, but also an opportunity for fraudsters to exploit audiences built through paid search campaigns — the primary method by which consumers find what they need online. By 2010 — just two short years from now — paid search, or pay-per-click (PPC), will be a $60 billion industry (IAB/PWC 2006). But fraud losses in the same period are predicted to surge to $11.6 billion (Trend Micro). So it should come as no surprise to see click fraud keeping pace by evolving beyond robbing marketing budgets to robbing consumers of their identities as well.
Hackers Turn Cleveland Into Malware Server
The Register - London, England, UK
Tens of thousands of websites belonging to Fortune 500 corporations, state government agencies and schools have been infected with malicious code that attempts to engage in click fraud and steal online game credentials from people who visit the destinations, security researches say.
At time of writing, more than 94,000 URLs had been infected by the fast-moving exploit, which redirects users to the uc8010-dot-com domain, according to this search. Security company Computer Associates was infected at one point, as were sites belonging to the state of Virginia, the city of Cleveland and Boston University.
“This is a wide variety of sites that have been impacted,” said Mary Landesman, a researcher for ScanSafe, a company that provides real-time information to clients about malicious sites. “It’s a real in-your-face example of what we see everyday. It’s really time for companies that have a vested interest in a web presence to take a hard look at what their security posture is.”
Malicious hackers were able to breach the sites by exploiting un-patched SQL injection vulnerabilities that resided on the servers, according to Johannes Ullrich, CTO for the SANS Internet Storm Center. The injections included javascript that redirected end users to the rogue site, which then attempted to exploit multiple vulnerabilities to install key-logging software that stole passwords for various online games, he and other researchers said.
FTC Releases Behavioral Advertising Guidelines
The agency recommends that companies that track consumers’ online activities provide an opt-out option.
Although the Federal Trade Commission did not discuss privacy issues in its approval of the $3.1 billion Google-DoubleClick merger, the agency still has plenty to say to the advertising community about data collection and consumer privacy.
In hopes of setting the pace for a self-regulatory privacy regime for companies that track consumer online activities, the FTC Dec. 20 released a set of proposed principles for companies like Google, Yahoo and MSN that track consumers’ online activities.
Known as behavioral advertising, the practice includes tracking and storing searches the consumer has conducted, Web pages visited and content viewed. The collected information is used to deliver advertising targeted to the individual consumer’s interests.
DoubleClick Serves Up Vast Malware Blitz
On Nov. 12, Web sites’ marketing professionals were flooding industry e-mail lists with reports of complaints from readers that they have been receiving inappropriate ads. Marketing professionals have complained of their ad servers being “hijacked” at sites, including The Wall Street Journal, Discovery and BizJournals. It’s not that the servers have been hijacked, Harvey said, but rather that a toolbar or some other mechanism is overlaying the intended ad with inappropriate content.
“It looks like we are all in the same boat,” one marketer said in a message to the mailing list.
Another marketer said his company had already shut down one of its networks that was devoted to serving up ads and had suspended all third-party ads on another site.
