Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE Used To Launch Yahoo IM Clickfraud

Posted by ryuzaki0 on from the botless-botnets dept.

An anonymous reader writes, "There's a new Instant Messaging worm in the wild that is taking the idea of Botnet clickfraud up a level. It trades in automated drones (prone to malfunction and detection) for real live people who (of course) have the option of not actually clicking anything, thus theoretically making their clicks harder to identify as 'fraudulent.' This IM attack doesn't even need a victim to physically run anything to become infected — simply visiting a certain site in Internet Explorer will cause the files to download and start sending infection messages. At this point, their homepage is changed to a site using Mesothelioma (a rare form of cancer) to ring up high-paying results on the perpetrators' Google ads. As the researcher who discovered the infection notes, 'It's way, way harder to trace some random boob who has a ton of (partially) unconnected people shunting IM links all over the place. Try staying anonymous as a Botnet owner who just had the entire details of his server splattered across the net by Shadowserver. What will be interesting to see is if some of the smaller Botnet guys ditch their technical woes and jump on the much-easier-to-maintain IM bandwagon to get their clickfraud kicks.'"

57 of 76 comments (clear)

  1. What? by I'm+Don+Giovanni · · Score: 5, Funny

    Can someone translate the summary into English?

    --
    -- "I never gave these stories much credence." - HAL 9000
    1. Re:What? by Frizzle+Fry · · Score: 5, Funny

      I gave up at the point where my homepage gets changed to a kind of cancer.

      --
      I'd rather be lucky than good.
    2. Re:What? by LiquidCoooled · · Score: 1

      I would hope the researcher doesn't have google ads enabled otherwise we are the infectious problem.
      I hope all self respecting slashdotters resisted the urge to RTFA in this case...

      --
      liqbase :: faster than paper
    3. Re:What? by Blakey+Rat · · Score: 5, Funny

      You got further than I did. I'm hung up at the second sentence.

      It trades in automated drones (prone to malfunction and detection) for real live people who (of course) have the option of not actually clicking anything, thus theoretically making their clicks harder to identify as 'fraudulent.'

      Of course when you write (of course) with constant parenthetical statements (prone to misunderstandings and pointless complication) in the sentence, then use single-quotes for (apparently) 'no' reason, how could you (not you specifically, but 'you' in the general case) possibly understand it?

      --
      Comment of the year
    4. Re:What? by hdparm · · Score: 1, Informative

      I thought self respecting slashdotters don't use web browser in question.

    5. Re:What? by icepick72 · · Score: 2, Interesting

      I'm so relieved this self-help thread exists. I cannot understand a damn thing that article is saying. I'm not alone (;_;) To hell with it, I'm waiting for the next story. No comment.

    6. Re:What? by sidb · · Score: 4, Funny

      I'm glad I wasn't the only one to have that reaction to the atrocious writing. I actually did a mental double check that it wasn't April 1. Clearly, this post was submitted by an automated drone and then machine translated through several different languages to mask its true origin. Fortunately, I am onto the evil botmaster and have no intention to RTFA or click anything.

    7. Re:What? by J44xm · · Score: 1

      No, no, I fear you've misunderstood the author's words. You see, your homepage gets changed to a site that USES that form of cancer, not into cancer itself. I think we'll both agree that transforming a homepage INTO cancer is, at best, a preposterous idea. I believe that, once you understand this, the rest of the summary will become perfectly understandable, if not rather eloquent in its labyrinthine beauty.

      Whatever the case, it's clear that we, as a global society, have greatly underestimated the horror that is cancer and also its far-reaching effects. There is no patch for cancer.

    8. Re:What? by vilms · · Score: 1, Funny

      hmm, I never ever RTFA, but this is the first time a lead-in has got me stumped. Or maybe I'm getting old.
      *inserts toast into Betamax VCR and continues regardless*

    9. Re:What? by sootman · · Score: 1

      You guys made it to the summary? I'm still counting the buzzwords in the title.

      --
      Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
  2. Huh? by scott666 · · Score: 2, Funny
    At this point, their homepage is changed to a site using Mesothelioma (a rare form of cancer) to ring up high-paying results on the perpetrators' Google ads.
    Wow. I had no idea there was a rare form of cancer that could change your homepage. It must be very rare indeed!

    Seriously though, what the hell does that sentence mean?
    --
    Thank you for helping us help you help us all.
    1. Re:Huh? by manastungare · · Score: 5, Informative

      At this point, their homepage is changed to a site using^H^H^H^H^H about Mesothelioma (a rare form of cancer) to ring up high-paying results on the perpetrators' Google ads. High-paying, because mesothelioma is an uncommon word.

    2. Re:Huh? by Software · · Score: 5, Informative
      No, "mesothelioma" is high-paying because it's only caused by exposure to asbestos. Therefore, plaintiff's lawyers have determined that anybody searching for it probably has the disease and therefore the ability to win a case against the asbestos manufacturers. The lawyer will, of course, get a nice cut of that (tens or hundreds of thousands of dollars). So the searchers and their clicks are very valuable to plaintiff's lawyers. One estimate I heard was that AdSense links for mesothelioma were going for about $50, if you wanted a decent position.

      If you want to screw over some lawyers and Google, search for mesothelioma and click on the AdSense links.

    3. Re:Huh? by Lehk228 · · Score: 1

      doesn't screw ovewr google. they get paid for the clicks. they also pay some of that to hosting web sites, unless the clicks are from the google search results page itself.

      --
      Snowden and Manning are heroes.
    4. Re:Huh? by Anonymous Coward · · Score: 5, Informative

      Google does offer a public tool for estimating cost-per-click and position based on keyword, match type, and maximum bid. Toying with it...

      For 'mesothelioma', Exact Match, the current estimate seems to be that a max bid of $100/click will normally land one in position 1-3 and cost $44.23/click -- which is very, very good. It's not the highest I've seen (and there are ones that have both significantly higher CPC and probably a much higher clickthrough rate given greater applicability, judging from some experimentation... but I'm not here to help the click-spammers increase their take), but it's up there.

    5. Re:Huh? by Carthag · · Score: 1

      Thanks. Your post was more informative than the entire article summary.

  3. Un-believable... by StressGuy · · Score: 1

    To the person that modded this "flamebait", you do realize I was just playing on the sentance structure, right?

    Oh well, I've had smart-assed comments modded "insightful" before as well....that's karma ;)

    --
    A goal is a dream with a deadline
  4. "Anonymous reader" should stick to reading! by Chuck+Chunder · · Score: 1

    Or at least should anonymously read what they write before they anonymously submit it.

    --
    Boffoonery - downloadable Comedy Benefit for Bletchley Park
  5. at least the Mesothelioma example targets lawyers by klenwell · · Score: 2, Funny

    As history illustrates the litigation around this type of cancer can net high returns for lawyers and those seeking damages- however these cases are rare. Thus the cost-per-click (CPC) can range quite a bit on bidding networks seeking these large litigation rewards. The bids may range from $4.00 to $13.00 per click and higher. This makes it a prime target for malware authors and worm writers who setup systems to either force or set-up a system to maximize clicks to these high paying keywords in order to gain their fee split.

    Maybe they'll be inspired to stop chasing ambulences -- or, in this case, sufferers of "a rare form of cancer (about 1 in 1,000,000)" -- and start chasing botnet operators.

    --
    Innovation makes enemies of all those who prospered under the old regime... -- Machiavelli
  6. without RTFA... by tygt · · Score: 2, Informative

    Without RTFA, and thus most likely wrong, but someone feeling right, I think that what's up is that it pops open an IE with links that are just begging to be clicked, and when you do, they get their money. Of course, the user may not actually click anything, but if they're like the lusers I've seen too much of, they'll go "huh, what's that" and cha-ching...

  7. Mesothelioma ads = gold mine for hucksters by davidwr · · Score: 5, Informative

    For those who didn't RTFA, here's another summary:

    You get an infected Yahoo IM. In addition to propogating, it turns your IE home page into an ad-filled page. The ad page works like Google's adsense, only in this case instead of Google paying a legitimate web site when people click-through the ad, Google or some other company winds up paying the scammer or his cronies.

    Because of the way it works it's a lot harder to detect than automated fraud or paid-human click fraud. Because the end user will likely click on the ad only if he's actually interested in it, the company that originated the ad might not even consider it fraud - he's just found a live potential client.

    What makes it fraud is that the end user's web page has been hijacked. In other words - it's spyware/adware.

    Workaround: Don't use IE, and use a malware-detector that detects and blocks Yahoo IM Malware.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Mesothelioma ads = gold mine for hucksters by daviddennis · · Score: 1

      I've never really understood the psychology of this, since if I saw a page like the one linked in the article, I would just close it without clicking on anything, since none of it was of interest to me.

      But I understand some people will just click out of curiosity and then - BANG! - the virus writer's got real money in his pocket.

      D

    2. Re:Mesothelioma ads = gold mine for hucksters by fotbr · · Score: 1

      Simpler solution:

      Don't click random links or run random crap you get via IM.

      Still dump IE though.

    3. Re:Mesothelioma ads = gold mine for hucksters by Firehed · · Score: 1

      If only you weren't preaching to the choir here, the internet would be a much better place. Telling a Slashdotter to dump IE is about as useful as telling a store owner to open his store - it's just a given. If only the people dumb enough to do those things in the first place listened to (err... read) the thousands upon thousands of sites doing the same thing, the problem wouldn't exist. Can't teach a dumb dog obvious tricks, I guess.

      --
      How are sites slashdotted when nobody reads TFAs?
    4. Re:Mesothelioma ads = gold mine for hucksters by emlyncorrin · · Score: 1
      I've never really understood the psychology of this [...] But I understand some people will just click out of curiosity [...]
      So you have understood it.
    5. Re:Mesothelioma ads = gold mine for hucksters by fotbr · · Score: 1

      Oh I know.....I know....

      I was just making sure I wasn't going to get flamed for NOT taking the opportunity to bash IE. :)

  8. what the...? by User+956 · · Score: 2, Funny

    At this point, their homepage is changed to a site using Mesothelioma (a rare form of cancer) to ring up high-paying results on the perpetrators' Google ads.

    WTF? This worm gives your computer cancer?

    --
    The theory of relativity doesn't work right in Arkansas.
    1. Re:what the...? by jon_joy_1999 · · Score: 1

      no no no.. you got it all wrong. your computer gives YOU cancer

      --
      there are 10 types of people in this world; those who get this joke, and those who don't
    2. Re:what the...? by Anonymous Coward · · Score: 2, Funny

      WTF? This worm gives your computer cancer?

      It can remotely install Windows on it without asking???

  9. Just another example ... by zappepcs · · Score: 4, Informative

    Just another example of clever people taking advantage of anyone that is unfortunate enough to not know to click on unwanted popup things that ask them to click here, or enter your financial information etc.

    The internet will not be safe, ever, because of those people. Yes, "click here to win a date with name-a-rising-star" will always find its way to someone that thinks there is some remote possibility that Bill Gates will pay you to forward emails, or that a music hall-of-famer needs a date from someone just like them. The human factor in security will always be the weakest link. ALWAYS.

    --
    Support NYCountryLawyer RIAA vs People
    1. Re:Just another example ... by Otter · · Score: 2, Insightful

      ...and clickfraud at the expense of class-action lawyers trying to sue whatever is left on the skeletons of asbestos companies (who did you think had such an expensive interest in mesothelioma?), while undoubtedly Wrong, isn't high on my list of the world's problems.

      --
      What I'm listening to now on Pandora...
    2. Re:Just another example ... by suv4x4 · · Score: 1

      The internet will not be safe, ever, because of those people. Yes, "click here to win a date with name-a-rising-star" will always find its way to someone that thinks there is some remote possibility that Bill Gates will pay you to forward emails, or that a music hall-of-famer needs a date from someone just like them. The human factor in security will always be the weakest link. ALWAYS.

      You can reduce 99% of this with proper education, but why teach THIS to your kids, when you can flood them with useless /to most/ information about what kind of soil you have in every country region, and which exactly day 1000 years ago a certain thing happened.

  10. I wasn't busy at all by StressGuy · · Score: 1

    I mearly made a note of the fact that not everyone would get the meaning of the joke.

    Call it "smug" if you must, but it would appear my accessment was correct nonetheless.

    --
    A goal is a dream with a deadline
  11. Whew! by cciRRus · · Score: 2, Funny

    Good thing I'm using ICQ.

    --
    w00t
  12. Kdawson, plz to be replacing summary with parent by TheSpoom · · Score: 1

    Nough said.

    --
    It's better to vote for what you want and not get it than to vote for what you don't want and get it.
    - E. Debs
  13. Sorry to ask the obvious.... by Anonymous Coward · · Score: 1, Interesting

    ...but surely google would quickly become aware of the website and cancel the google ad accounts of the sites linked from the page? Thus the scammers would get no "Step 3.... profit!!!"?

  14. [Translated Version] by Anonymous Coward · · Score: 3, Informative

    The exploit changes their homepage to some page with Google ads about mesotheleoma, and the bad guys get money from the clickfraud (people seeing impressions on an expensive Google keyword, most likely because liability lawyers are suing over it or something, and looking for people to join various class action suits where the lawyers can get big money).

  15. No, just a mis-spelling by StressGuy · · Score: 1

    I wish I understood how a simple play on words can throw you so far off the handle....perhaps you should have a beer and relax.

    --
    A goal is a dream with a deadline
  16. Re:I think you are being too hard on IE by StressGuy · · Score: 1

    Instead of "used" as in "utilized"...I intentionally mis-interpreted it as "used to" as in did so in the past.

    It was intended to be a subtle play on words, but it seems to have not had the desired effect. Perhaps I should have ended with something like this:

    {voice from crowd} ... he meant, "utilized to!"

    {me} ...oh.....nevermind....

    --
    A goal is a dream with a deadline
  17. Re:a question on "click fraud"... by generic-man · · Score: 2, Insightful

    A is paying B with the expectation that people genuinely interested in A's ad will click that ad. If C simulates clicks without even looking at the ad, A isn't getting his money's worth when he pays for his ads. Where the line between "users clicking ads without a genuine interest" and "programmatic click fraud" is drawn is still subjective, though.

    --
    For more information, click here.
  18. Easy to stop... by Anonymous Coward · · Score: 1, Insightful

    I didn't RTFA, but presumably the ads being displayed are associated with a certain Google publisher account (or a handful of them). It should be pretty easy for Google to mark all clicks from those accounts as fraud, not charge the advertisers, and not pay the publishers.

  19. Doesn't sound right by CaseyB · · Score: 2, Informative

    The article is written so badly that's it's very hard to figure out the meaning. But this bit seems to describe the "entry point" to the infection:

    Here, we have something different - an Instant Messaging attack launched by a webpage forcibly dumping executable files into a PCs temporary files directory, via some nifty VisualBasic scripting.

    and further on:

    So, how does this happen?
    First of all, you need to hit an infection site using Internet Explorer - this exploit doesn't work in Firefox, for example. Due to the way these files are downloaded onto the PC, you can effectively make any site a potential threat and can scatter these files around wherever you like.

    This sounds like a straight up "go to a web page and an arbitrary executable runs" attack. That would be a HUGE security hole in IE that has nothing to do with the rest of this issue. Not that it's never happened before, but I somehow doubt that this would be the first place we'd hear about it.

  20. Re:Does this effcet us by bangenge · · Score: 1

    Does anyone that comes here on purpose us IE still or waste time with yahoo messanger?

    Unfortunately, yes. I have to have both IE and Firefox for testing webpages, and YM as my main IM. And unfortunately, one of my friends is bombing me with this said worm.

    Out of curiousity, I booted into ubuntu, logged into YM and tried it out, knowing I'm safe. :) It was just a simple VBScript but I couldn't get the file in question.

    --
    . o O ( TwO hEaDs ArE mOrE tHaN oNe... )
  21. Re:a question on "click fraud"... by mackyrae · · Score: 1

    Well, B is making the program that simulates clicks through C's computer, so B's the one committing fraud.

    --
    look! it's a bird, it's a plane, it's....a girl? yes, a girl browsing Slashdot on Linux
  22. Re:a question on "click fraud"... by generic-man · · Score: 1

    If C repeatedly clicks the ad, the ad serving provider might be asked to investigate the nature of these questionable clicks. If the clicks are found to be programmatically generated with no useful business-related purpose, the ad serving provider might be asked to strike those "fraudulent" clicks from the billing.

    If C is just being a jerk then he'll probably be ignored (perhaps his clicks will just go unbilled by anyone). If C is trying to harm A's or B's business, then a lawsuit could result. If C doesn't realize he's doing the clicks... that's a different matter entirely.

    --
    For more information, click here.
  23. They play with fire by zitintheass · · Score: 1

    Those click-frauders can be traced back and personally identified because they have to run "websites" to generate revenue from those clicks. So their personal "income" address (to send paychecks) is in the Google Adsense (available), once identified they can be brought to justice by Google (if only Google ever really wanted to combat them). More scary scenario is that they can virtually destroy any small-midsized website business if they target it with these botnets. Google may cut them from Adsense and red flag them (innocent website owners may not even know about being targeted). And bye bye website. The core of the problem is that Google is irresponsibly allowing those fake and obvious fraud made-for-adsense websites to flourish.

  24. Re:Does this effcet us by Technician · · Score: 2, Interesting

    Does anyone that comes here on purpose us IE still

    At work some of us are stuck with the corporate desktop environment which means IE. The IT department has done a pretty good job keeping it locked down. When they run the corporate proxy server, it's easier to get a handle on what doesn't make it in. They also use managed switches, so if a machine starts spewing, it gets disconnected. It tends to stop worms that try to scan for vuneribilities or other bot activities. Even the new version of Skype that used supernotes triggered the defences and dropped a bunch of machines while they tried to figure out the cause of the unusual data pattern.

    Home users have no monitor that triggers and disconnects on unusual data patterns on the net.

    --
    The truth shall set you free!
  25. Re:a question on "click fraud"... by Technician · · Score: 1

    Let's say that party A puts some banners on party B's web page, with the agreement that A will pay B some money for users who click on the ad.


    If party B is the worm writer to get party C to click on the ad, then party C is not a real consumer interested in A's product at all. This fraud lines party B's pocket. A never intended to pay for clicks except by those who searched for the keyword because they were researching it for personal reasons.

    --
    The truth shall set you free!
  26. HaHa. by SeaFox · · Score: 1

    Yeah... Ha-Ha... fuuunny. I meant the webpage in IE was redundant, not my comment itself.

  27. Reference by Anne+Thwacks · · Score: 1
    I refer the honourable gentlemen to the satement i made some moments ago:

    If the US Government can prevent banks (credit cards) from handling the proceeds of internet gambing, how comes they can't do the same for handling the proceeds of goods advertised by Spam (etc)?

    Is there a US Government at all? Is the US Government controlled by a moral cesspit like Al Quaida say it is? Has Gw Bush sold his soul to the devil? Is the internet controlled by Aliens from the planet Zog? Stay tuned for more news - same channel same time next week!

    --
    Sent from my ASR33 using ASCII
  28. Funniest part of the article by MechCow · · Score: 1
    Mesothelioma is a rare form of cancer commonly caused by prolonged exposure to asbestos and litigation



    Exposure to litigation - it can get you more than loads of cash. It can kill.

    --

    --
    On Slashdot I'm a lawyer.
  29. Sorry. by d3m0nCr4t · · Score: 1

    I have to type this message from my laptop, because my hard disk needs chemo...

  30. You're probably right... by StressGuy · · Score: 1

    many, many grammer Nazi's lurking about these days...but it's worse than that. Over the years the right side of my brain has started to interact with my typing. For example, I'll sometimes think of one word, but type its synonym. Other time, I've been known to type a "q" when I was thinking "g".

    In this forum, I type it and fire it off. For business communications, I spend a lot of time reviewing before I let it go.

    --
    A goal is a dream with a deadline
    1. Re:You're probably right... by StressGuy · · Score: 1

      I would call you "pompous" but, since you're an AC, and it's easy to be an asshole when noone knows who you are...I'll just leave it at that.

      Now, respond to this post so you can say you had the last word and that will be the end of the time I waste on you.

      --
      A goal is a dream with a deadline
  31. Who's missing? by Silik · · Score: 2, Funny

    So Microsoft is being used to make use of Yahoo! in trying to throw click fraud at Google.

    Are we missing anyone?

  32. YIM uses IE functionality by Old.UNIX.Nut · · Score: 2, Interesting

    Several years ago I disabled cookies in IE and found it broke YIM. I decided this made YIM a security risk and quickly switched to Trillian for all my IM need. I have NEVER regretted making this change.

  33. Hey, are you the submitter? by Mr+44 · · Score: 1

    I think we (slashdot readers) have just 'found out' who the (anonymous) submitter (of TFA) 'really' is (or at least their 'slashdot userid') based on the (unique) writing 'style'.