Internet scammers have stepped up their game by moving in to less obvious hunting grounds and getting closer to users' comfort zone (prominent websites that they blindly trust). Forget bundling trojans on fake flash players or masquerading as a legitimate website, Internet scammers are using high-profile websites to display malicious advertising as a way to spread sophisticated botnets and perform click fraud.
Click Forensics, a click fraud research firm, found that the NYTimes.com website, a prominent online news source that many of us trust for daily news updates, had an advertisement that lead computer users to a malicious site that spreads botnet software.
After further research and examination of the fraudulent advertisements found on NYTimes.com, it was determined that a new botnet was the culprit of advertisement click fraud. In other words, a botnet named Bahama Botnet, or group of hijacked PCs with hidden software that redirects users to domains registered in the Bahamas, infected many computers to commit click fraud through popular websites.
What Does the Bahama Botnet Do?
Bahama Botnet is able to redirect unsuspecting computer users to a trusted website only to convince them to click on advertisements. The click-fraud that is committed by systems compromised by Bahama Botnet is usually to generate money through their own pay-per-click ads.
The Bahama Botnet is composed of thousands of compromised PC’s, according to Click Forensics' estimates. Bahama Botnet infects computer by redirecting the user to a website that displays an alert warning them of a virus on their machine with an offer to download a program to eliminate the threat. Once the message is clicked on, then it will download a file that installs a Trojan which allows the cybercrimnals to take control of the infected system in order to use it for committing click fraud. When a user of a compromised computer clicks on adverts on Yahoo or Google, they are unnoticeably redirected through sites created by the hackers. The fake sites include pay-per-click advertisements which are displayed before the user is returned to the website of the link originally clicked on. Click Forensics was able to identify the crime ring through a pattern that automatically generates clicks that took place on the target sites, which happened about every 70 minutes.
This is not the first time that a similar scareware tactic was used to spread malicious software or generate ad clicks. Newsweek, another well-known and reliable online news site, was hit with a scam that displays a fabricated advertisement on the website which redirects users to a website that pushes and sells rogue security programs. One of the websites was identified as advancedpcscanner6.com, which is known to display a fake system scan that returns falsified results and offers the Personal Antivirus rogue anti-spyware program as a solution. The Newsweek website advert scam comes in the form of a warning pop-up message and does not give users a choice of clicking on the ad or not. Simply put, the advertisement, shown in Figure 1. below, will redirect you to a malicious site whether the user clicks the "OK" or "Cancel" button. A popup message may also appear, as shown in Figure 2.
Figure 1. - Personal Antivirus interface.
Figure 2. - Fake popup message – “Warning!!! Your system requires immediate anti-viruses scan! Personal Antivirus can perform fast and free virus and malicious software scan of your computer.
There are other similar fake advertisement occurrences that have taken place in the past that were found to be pushed through popular websites. Once the Bahama Botnet software has compromised a user's system, then clicks made on sites such as Yahoo, Google and other popular sources can redirect them through sites populated with pay-per-click adverts created by cyber-criminals. This is a relatively easy way for such criminals to get a quick payday.
Now that you know about the Bahama Botnet, will you think twice about clicking on an ad the next time that you see one on a popular website?