October 8th, 2009

Click fraud facilitating Bahama botnet steals ad revenue from Google

Posted by Dancho Danchev @ 9:56 am

Categories: Anti Virus, Botnets, Browsers, Complex Attacks, Google, Hackers, Malware, Research, Web 2.0

Tags: Google Inc., Advertisement, Click Fraud, Domain, Computer, Security, Cybercrime, Dancho Danchev

Originally exposed as a botnet redirecting and monetizing hijacked traffic to over 200,000 parked domains primarily located in the Bahamas, researchers from ClickForensics have recently found evidence on active DNS hijacking of Google properties allowing cybercriminals to steal revenue from Google by pulling search results and displaying them on a bogus homepage (Cybercriminals promoting malware-friendly search engines) which serves ads from pay-per-click ad networks (Microsoft’s Bing invaded by pharmaceutical scammers) maintained by similar cybercrime enterprises.

Here’s how Bahama’s click fraud scheme steals ad revenue from Google and its advertisers according to ClickForensics:

However, in the case of the Bahama Botnet, this DNS translation method gets corrupted. The Bahama botnet malware causes the infected computer to mistranslate a domain name. Instead of translating “Google.com” as 74.125.155.99, an infected computer will translate it as 64.86.17.56. That number doesn’t represent any computer owned by Google. Instead, it represents a computer located in Canada.

When a user with an infected machine performs a search on what they think is google.com, the query actually goes to the Canadian computer, which pulls real search results directly from Google, fiddles with them a bit, and displays them to the searcher.  Now the searcher is looking at a page that looks exactly like the Google search results page, but it’s not.  A click on the apparently “organic” results will redirect as a paid click through several ad networks or parked domains — some complicit, some not.  Regardless, cost per click (CPC) fees are generated, advertisers pay, and click fraud has occurred.

The click-fraud scheme (Botnets committing click fraud observed) affects all of Google’s international domains, with the actual DNS records hijacking taking place upon infection with scareware (The ultimate guide to scareware protection) pushed by the gang’s portfolio of compromised domains serving bogus content syndicated from Google Trends in real-time.

The cybercrime enterprise behind the Bahama botnet is also linked to the recent malvertising (malicious ads) incident that affected the web site of the New York Times, the Koobface botnet, as well as to a huge percentage of the blackhat search engine optimization campaigns serving scareware analyzed throughout the past couple of months.