Network News

X My Profile
View More Activity

FFSearcher: A Stealthy Evolution in Click Fraud

Every so often, a new piece of malicious software comes along that introduces a subtle yet evolutionary technological leap, a quickly-mimicked shift that allows cyber crooks to be far more stealthy in plying their trade. According to research released last week, this happened most recently in the realm of click fraud, a rapidly growing problem that inflates online advertising costs for legitimate companies and ad networks.

For years, hackers have used malicious software to perpetrate click fraud by hijacking the results displayed when users search for something online. The trouble is, these scams can be rather clumsy: Victims often figure out pretty quickly that something is wrong, usually because their searches are redirected to an unfamiliar search portal, as opposed to their regular default search provider.

But a new Trojan horse program being distributed by tens of thousands of recently hacked Web sites hijacks search results so that Google.com users can scarcely tell that their Web searches are being funneled through third-party sites.

Earlier this month, security experts at Websense warned that some 40,000 Web sites were hacked and seeded with code that bombards a visitor's PC with a virtual kitchen sink worth of browser exploits, all in an effort to install a Trojan horse program. Websense named this mass compromise "Nine-Ball," and the Trojan dropped on victimized PCs was thought to install a range of malicious software.

Joe Stewart, director of malware research at SecureWorks, an Atlanta-based computer security firm, has found among the malware installed by the Nine-Ball Trojan was a click fraud Trojan that SecureWorks has nicknamed "FFsearcher," after one of the Web sites used in the scam (ffsearcher.com).

According to Stewart, FFSearcher is capable of hijacking Google search engine results on both Internet Explorer and Firefox browsers. It takes advantage of Google's "Adsense for Search," application programming interface (API), which allows Web sites to embed Google search results alongside the usual Google AdSense ads. This Google Custom Search widget is used by tens of thousands of legitimate sites to generate ad revenue. For instance, let's say example.com uses this widget on its site, and someone browsing that site uses the built-in widget to search for some content. If that visitor then happens to click one of the ads displayed in the embedded search results, example.com will earn a small sum of money for that referral.

Stewart said the authors of FFSearcher realized they could use a Trojan to convert every search a victim makes through Google.com, so that each query is invisibly redirected through the attackers' own Web sites, via Google's Custom Search API. Meanwhile, the Trojan manipulates the victim's PC and browser so that the victim never actually sees the attacker-controlled Web site that is hijacking the search, but instead sees the search results as though they were returned directly from Google.com (and with Google.com in the victim browser's address bar, not the address of the attacker controlled site).

The beauty of this form of click fraud is that it is largely invisible to the victim: The search results themselves aren't altered by the attackers, who are merely going after the referral payments should victims click on any of the displayed ads. What's more, the attackers aren't diverting clicks or ad revenue away from advertisers or publishers, as in traditional click fraud: They are simply forcing Google to pay commissions that it wouldn't otherwise have to pay.

"The attackers have worked out this clever scheme where they can force Google to shell out commissions they shouldn't have to," Stewart said. "They're giving the user exactly what Google would have given him, but the attackers are also able to skim a little off of Google's Adsense program in the process."

Stewart said one of the few giveaways for the victim is that the hijacked results page does not display the total number of pages that contain the word or phrase for which the victim is searching. Yet, while victims may never get wise to the fact that their search results are being intercepted, other infections may alert the victim that something isn't right: FFSearcher appears to be only one of many pieces of malware installed by the Nine-Ball Trojan.

SecureWorks identified several Web sites the attackers are using to funnel the hijacked searches, including i-web-search.com, ffsearcher.com, and my-web-way.com. Stewart said he also found at least two separate Adsense account numbers tied to those sites, accounts that would be credited with tiny commissions anytime someone with this Trojan on their PC clicked an ad displayed in the hijacked search results.

A Google spokesperson confirmed that the company had deactivated the rogue Adsense accounts identified by SecureWorks. But Stewart said the FFsearcher Trojan allows the attackers to change both the sites that return the invisible Custom Search results and the Adsense accounts on-the-fly.

"FFSearcher undoubtedly raises the bar for the fraud detection teams working at the major search engines, and it will be interesting to see how they combat it and other trojans using the same technique in the future," Stewart wrote, in the white paper on the Trojan, which is available at this link here.

By Brian Krebs  |  June 30, 2009; 7:20 AM ET
Categories:  Fraud , Web Fraud 2.0  | Tags: click fraud, ffsearcher  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Ex-DHS Cyber Chief Tapped as President of ICANN
Next: A Bustling Week for Cyber Justice

Comments

Brian, wouldn't an add-on like Giorgio Maone's NoScript stop the processes necessary for this kind of fraud to succeed on Firefox ? Or have I misunderstood the means by which the fraud is carried out ?...

Henri

Posted by: mhenriday | June 30, 2009 9:28 AM | Report abuse

@mhenriday - I suppose it's possible, but I doubt it. check out the secureworks writeup: it goes into a bit more detail about how this works. basically, the malware injects a rootkit onto the host system, and it appears this malware also modifies Windows .dll files and processes. it even rewrites autocomplete results on both browsers.

Posted by: BTKrebs | June 30, 2009 9:37 AM | Report abuse

I wouldn't call this "click fraud", since the clicks themselves aren't fraudulent. Instead, I'd call it "affiliate fraud", just like I would if a rouge Firefox extension modified all links to amazon.com to include their affiliate id.

Posted by: jesseruderman | June 30, 2009 1:23 PM | Report abuse

I have often been accused of being a cynic or a skeptic, but I feel that I must ask - Who is the prime beneficiary of identifying these various scams? If I was running a computer security company and business was a bit slow, I think that I might write some software that would panic people. I am absolutely certain that SecureWorks would not be involved in such a scam, but other companies might.

Posted by: con_byrne | June 30, 2009 2:27 PM | Report abuse

Google doesn't help things in that they recently began inserting a Google redirect into the chain of actions for some search results when clicked. I'm quite certain that I'm not infected I have none of the symptoms of FFSearcher and because the same results happen on a virgin VM that has never seen anything but Windows Update.

http://www.google.com/url?sa=t&source=web&ct=res&cd=1&url=http%3A%2F%2Fwww.aoa.org%2Fx8469.xml&ei=RFtKSvTrAt6vtwfms4i7Ag&rct=j&q=aoa+optical&usg=AFQjCNF-H1Lggf3ldU3vZkMHLOxITP7CDg

But ... has my area Akamai Google box been hacked and the bad guys inserted their own Javascript? Has my ISP gone rogue and inserted their equivalent Javascript in search results?

Posted by: moike | June 30, 2009 2:45 PM | Report abuse

So am I correct that those surfing on a limited windows account or using Firefox under drop-my-rights would not be affected by this problem?

Posted by: Eremita1 | June 30, 2009 4:25 PM | Report abuse

Is there some reason that you do not identify this as a Windows-only Trojan horse? The reluctance of "journalists" to name Windows malware as Windows malware sure makes it look like you either don't know squat about tech, or Microsoft owns you.

Just in case you honestly believe that Windows is computing, which is inexcusable but possible, here is some information for you:

1. There are several major operating systems other than Windows: Linux, Unix, Mac, and the free BSDs. All but Mac have several variations.There are many less-popular ones such as Amiga and FreeDOS that are still in use, plus hosts of specialized embedded OSes.

2. People really do use these other operating systems

3. You are doing a disservice to your readers by not giving complete information. It's no different than identifying E Coli contaminated foods by brand name and lot number, or defective vehicles by brand, model, and year, or dangerous children's toys by name. And so on.

4. Some exploits are cross-platfrom, but not many. Windows is the #1 target because its core architecture renders it unfixably vulnerable, unlike Unix-type operating systems.

thank you, and I look forward to more accurate reporting in the future.

Posted by: member5 | July 1, 2009 1:43 AM | Report abuse

@member5: ". Windows is the #1 target because its core architecture renders it unfixably vulnerable, unlike Unix-type operating systems."

Yeah, like the Mac didn't just have a release this month for 24 Java security flaws (2 years late), and 50 security fixes in OSX in February to patch security holes in its invulnerable Unix-type operating system.

Posted by: moike | July 1, 2009 10:15 AM | Report abuse

Thanks for the tip, Brian ! After reading the article, which can be accessed via this link - http://tinyurl.com/ldbk3a - I have to agree that it's unlikely that NoScript would be of help here. Anti-virus services are going to have to find a way to block this Windows trojan ; for my part I'm glad I surf the web from Ubuntu Jaunty !...

Henri

Posted by: mhenriday | July 2, 2009 8:50 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company