Scam with AdSense: a million PCs to steal clicks

Share with:


Discovered a gigantic botnet used to redirect the computer traffic and get the advertising revenue. According to analysts, it would be active for at least two years.

Making money with advertising on the Internet is easy: just join AdSense, create your own blog, fill it with interesting content and attract millions of people.

Ok, maybe it’s not so easy … but there is definitely a simpler method: making your own botnets and use infected PCs to generate traffic on the pages with advertisements.

To choose this “shortcut” was a group of cyber-criminals who have managed to infect nearly one million computers with trojan Redirector.Paco.

The affected computers are located mainly in Italy, India, Malaysia, Greece, USA, Pakistan, Brazil and Algeria.

To discover the operation was BitDefender,that on his blog explains the details of the affair. The Trojan, released as early as September 2014, performs some simple changes in the registry of the computer system, forcing the computer to an alternative configuration of the proxy.

In this way, each time the victim tries to connect to the Google search engine is actually diverted to a server controlled by hackers that provides as search results links to the sites under their control.

The system also provides the use of a fake digital certificate, which allows the connection via secure HTTPS protocol.

There is a way to realize if you are affected: by checking the certificate it turns out that he would be released from DO_NOT_TRUST_FiddlerRoot, or through Fiddler, a program used as a debugger (or sniffer) can issue digital certificates to enable programmers to test some functions while writing code.

google certificate
In a connection you do not notice anything, but if you check the certificate is easy to realize that something is wrong.

Besides, the only symptoms that may indicate some anomaly in the connection are limited to longer times for the loading of the results and, in some cases, to the appearance of the status of “Waiting for proxy tunnel type messages” or “Downloading proxy script “.

Other versions of the trojan using an attack like “Man In The Middle” to hijack the data when the victim tries to connect to Google, Bing or Yahoo. The technique in this case is different, but the result is the same.

It remains to understand what may have been the harm to Google: how much you can earn diverting research of 1 million computers for almost two years?

Share with:


Leave a Reply

Your email address will not be published. Required fields are marked *