Network News

X My Profile
View More Activity

Web Fraud 2.0: Franchising Cyber Crime

For the most part, cyber gangs that create malicious software and spread spam operate as shadowy, exclusive organizations that toil in secrecy, usually in Eastern Europe. But with just a few clicks, anyone can jump into business with even the most notorious of these organizations by opening up the equivalent of a franchise operation.

Some of the most active of these franchises help distribute malicious software through so-called pay-per-install programs, which pay tiny commissions to the franchise operators, or so-called affiliates, each time a supplied program is installed on an unsuspecting victim's PC.


These installer programs will often hijack the victim's search results, or steal data from the infected computer. Typically, affiliates will secretly bundle the installers with popular pirated software titles that are made available for download on peer-to-peer file-trading sites. In other cases, the installers are stitched into legitimate, hacked Web sites and quietly foisted upon PCs when people visit the sites with outdated, insecure Web browsers.

Experts say one of the longest-running and most successful of these pay-per-install operations is an organization called "InstallsCash," which pays distributors to spread a variety of invasive programs. After you've signed up for a free account, InstallsCash will provide you with an installer file (.exe). They will then pay you between $5 and $140 per 1,000 installs (with higher rates for installations in countries like the United States, United Kingdom and Italy).

InstallsCash tells affiliates that the program they're distributing merely changes the victim's homepage, adds a browser toolbar, and installs a porn dialer, which hijacks the victim's dilal-up modem to make expensive 1-900 phone calls. Working with security researchers, Security Fix signed up for an account at IntsallsCash to learn what their affiliates were really installing.

What we found was the installation program given by InstallsCash to distributors installs some of the most sophisticated and aggressive malicious software in circulation today.

According to one analysis by researchers at Atlanta based managed security services firm SecureWorks, an InstallsCash installer delivered to affiliates in mid-May dropped no fewer than 15 pieces of malware on victim systems, including Cutwail, one of the most sophisticated and prolific spam bots on the planet. Also included were variants of the Koobface worm -- which spreads via social networking sites like Facebook (hence, the anagram of Facebook), as well as the Zeus or PRG Trojan, a sophisticated password stealing program.

Separately, experts with security research firm Team Cyrmu looked at a different installer offered by InstallsCash. Team Cymru found that the installer seeded PCs with quite a different crop of malware, including several Trojan horse programs, a rootkit, a virus and backdoor called Virut, and a generic spam Trojan that turns the victim PC into a spam relay.

No offices or phone numbers are listed on the group's Web site. On its "About Us" page, Installscash lists six different instant message accounts that can be used to contact them. SecurityFix left messages at all six. One who did answer, named "Install_Support," said "Ask me your questions, maybe I will answer,", but then declined to answer any of them, except to say that he or she was located in Ukraine.


A publicly-accessible test page on the group's Web site indicates that the last person to administer the site did so via an encrypted connection from a DSL account in Kiev, Ukraine.

It is illegal in most countries to distribute malicious software, such as computer worms, with the intention of infecting computers without the owner's permission

Michael LaPilla, director of malicious code operations for iDefense, a Sterling, Va. based security intelligence group owned by Verisign, said InstallsCash has a long and storied history, albeit under different names: The affiliate program previously went by the names Iframedollars and Iframecash, and for a long time was among the most visible arms of the infamous Russian Business Network.

"They've been active for so long," LaPilla said. "They just took new names after too much public attention got their old domains shut down."


LaPilla said exactly what that installer program will plant on infected machines varies from day to day, based on two factors: Where the victim lives, and which cyber criminal gangs are paying InstallsCash to distribute malware that week.

In 2007, iDefense analysts launched an investigation to see whether the malware being downloaded by the InstallsCash installer changed depending on geographical location of the victim PC. Sure enough, iDefense found that most of the PCs receiving password-stealing Trojans sought credentials for financial institutions specific to the victim's region.

By Brian Krebs  |  June 19, 2009; 3:35 PM ET
Categories:  Fraud , From the Bunker , Web Fraud 2.0  | Tags: crime franchise, iframecash, iframedollars, installscash  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Malicious Attacks Most Blamed in '09 Data Breaches
Next: Accused Spam King Alan Ralsky Pleads Guilty



Here's to hoping the FBI also reads your blog.

Of course they do !!!

Posted by: | June 20, 2009 2:45 AM | Report abuse

One would also hope that Malwarebytes Antimalware detects this stuff.

Note that Malwarebytes BOT appears to be a Rogue operation, that fortunately the real Malwarebytes removes. LOL

Posted by: | June 20, 2009 2:48 AM | Report abuse

Hi Brian:

This exploit has been "in the wild" since the 1996-1997 timeframe. When I ran the computer crimes division at NASA we arrested suspects for engaging in this type of scam incidental to their network intrusion activities.

What's changed? We have a larger universe of potential victims (consumers) and the delivery platforms have been commercialized for any criminal to use.

Good report for the update.

Tom Talleur

Posted by: W9TZ | June 22, 2009 10:40 AM | Report abuse

I'll make sure NSA knows, since I'm certain they monitor my emails - have for years.
Let's hear it for Harvard, they really taught the Russians how capitalism works. How about the phone companies who allow such abuse of 900 numbers? And a cheer for the operators and suppliers to the Internet backbone for avoiding all efforts to stop malicious activities, since it would free up more than half of all the available bandwidth but reduce their revenue selling hardware and services to expand the Internet capacity.
As long as profits are involved, we will have no solution to this problem - just like healthcare in America!

Posted by: jeh1 | June 22, 2009 1:22 PM | Report abuse

@ brucerealtor: Maybe the FBI reads these blogs, maybe not. It doesn't seem to make much difference, does it? Remember a year or so ago when Brian reported on an interview with a high ranking Fibbie who had major cyber-crime responsibilities? He had little or nothing to contribute to the conversation that meant anything. At the most, maybe just good intentions. Those and a dime don't get you much these days.

Posted by: peterpallesen | June 23, 2009 2:10 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company