An instant messaging botnet attack that plagued users of Yahoo’s Messenger client has been revamped into a more sophisticated approach that could lure people into clicking lucrative ads for the attacker’s benefit.
|Botnet Tactics Enable Click Fraud|
FaceTime researcher Chris Boyd, who also writes under the pen name Paperghost at VitalSecurity.org, has found a variant of some malicious code seen traveling over IM. People whose machines were infected by the malware had a bot placed on their machines, which in turn perform automated clicks on the bad guy’s ad-stuffed page.
The new version removes the bot from the equation. Instead, the person who clicks on a link in the message ends up at a page that causes their client to send out messages to others on the buddy list, which also leads to the malicious page.
Then the real aim of the crime appears, according to Boyd:
Not just any old adverts, though – these guys have done their homework. Unlike the previous ads that I’ve seen served up by Botnets, these ones are targeted towards a specific kind of cancer. Namely, Mesothelioma.
Among keywords, mesothelioma has a decent payout for clicks in online advertising. Overture’s bid tool listed a top bid of $13.02 for “mesothelioma help.” Where an automated bot would normally begin clicking away, it is left to the user to click, or not click, on the ads.
A click or two from a number of people across a range of IP addresses probably would not prompt the same level of scrutiny that a horde of botnet clicks should generate inside the black boxes of contextual advertising engines at places like Google or Yahoo.
If that happens, the advertiser ends up losing money, the advertising company makes money, and the individuals who spread the infection profit.
Boyd discussed the ploy in a more formal fashion at FaceTime. He noted it only works when someone uses Internet Explorer to visit the malicious webpage. “Remember – in this attack, you simply need to visit the offending webpage to become infected. There is NO need to physically allow a download or run a file,” he wrote.
Other tactics in use, such as filtering who sees the ad page by IP address, make it less likely such a scheme would be caught by detection filters at Google. If the visitor’s IP address is from a country that would not normally see such ads, the malicious page will not display them.
Since one person or group has now made this attempt at using people to do the work of bots, we won’t be surprised to see this scheme appear in copycat ploys in the future.