Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Click-Fraud Attack Is Stealthiest Yet

Posted by kdawson on from the penny-here-penny-there dept.

An anonymous reader sends news from The Washington Post's Security Fix blog of a new Trojan horse program that takes click fraud to the next level. The Trojan, dubbed FFsearcher by SecureWorks, was among the pieces of malware installed by sites hacked with the Nine-Ball mass compromise, which attacked some 40,000 Web sites this month. The Trojan takes advantage of Google's "AdSense for Search" API, which allows Web sites to embed Google search results alongside the usual Google AdSense ads. (SecureWorks' writeup indicates that Yahoo search is targeted too, but the researchers saw no evidence if the malware redirecting Yahoo searches.) While most search hijackers give themselves away on the victim's machine by redirecting the browser through some no-name search engine, FFsearcher "...converts every search a victim makes through Google.com, so that each query is invisibly redirected through the attackers' own Web sites, via Google's Custom Search API. Meanwhile, the Trojan manipulates the victim's PC and browser so that the victim never actually sees the attacker-controlled Web site that is hijacking the search, but instead sees the search results as though they were returned directly from Google.com (and with Google.com in the victim browser's address bar, not the address of the attacker controlled site). Adding to the stealth is the fact that search results themselves aren't altered by the attackers, who are merely going after the referral payments should victims click on any of the displayed ads. What's more, the attackers aren't diverting clicks or ad revenue away from advertisers or publishers, as in traditional click fraud: They are simply forcing Google to pay commissions that it wouldn't otherwise have to pay." If FFSearcher were the only piece of malware on the machine, it would have a better chance of staying under the radar.

5 of 99 comments (clear)

  1. Re:How the server gets infected? by stephanruby · · Score: 3, Funny
    Interesting is: this peace of mallware does not directly (perceivably) damage the user of the infected machine, but it generates revenue through (semi fake) Google ad clicks. I wonder how they (Google) will react.. would guess that big corporations get quite pissed by this kind of stuff. Let's wait and see..

    Finally, a piece of malware I'm not super-annoyed by.

  2. Re:How the server gets infected? by rattaroaz · · Score: 2, Funny

    Reading the article helps - there is only one server: my-web-way.com , which is supposedly controlled by the attackers. The whois entry reveals, that it is registered in Moskow, Russia.. .

    In America, server gets infected, but in Soviet Russia, infections get served!

  3. Re:Does this affect all browsers? by Zerth · · Score: 1, Funny

    Lynx is presumably immune...

  4. If its evil, it can't be Google..... by Bob_Who · · Score: 2, Funny

    ....the impersonators prefer "Don't Be Elvis"

  5. Re:How the server gets infected? by emlyncorrin · · Score: 2, Funny

    What has Attention Deficit Disorder got to do with this?