Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Security Response

Sgt. Scammer’s Lonely Hearts Club

Created: 06 Apr 2011 11:44:21 GMT • Updated: 23 Jan 2014 18:21:46 GMT • Translations available: 日本語
Poul Jensen's picture
-1 1 Vote
Login to vote

Internet advertising has the potential to be a very worthwhile method for generating income. However, advertising on the Internet typically produces a higher return of payment if the ads themselves are clicked. Therefore, there is a high incentive for scammers to devise ways to ensure that the ads hosted on sites under their control are clicked – be it through malware, automated scripts, email spam links, or any other method. After all, potential profit drives innovation – for legitimate and illegitimate business alike.

However, advertisement networks are capable of identifying illegitimate activity on their networks, which increases the need for scammers to hide illegitimate activity for as long as possible, thereby allowing them to reap the largest possible profit. In the past, we have observed various Trojans that connect to websites and click on the ads. Recently, however, we have discovered a more elaborate scam that establishes a network of fake dating/social network/blog websites and then uses a number of Trojans to connect to these websites and click on the residing advertisements. This entire process is presumably controlled by the very same creators who initially developed the fake dating/social network/blog website.

This is how the scam is executed:

The scammers construct a set of legitimate looking dating/social network/blog websites. In the case of the dating and social network sites, they are developed with real pictures and some rudimentary profile information. The sites themselves look professional and genuine.

Next, the scammers create a Trojan that connects to the website and clicks on the advertisements that are found on the site. In fact, the Trojan clicks on anything that constitutes a link on the page. It then delays its execution and only resumes after a random period of time has elapsed (to avoid any obvious timing patterns from being identified).

To give an idea of how profitable such a Trojan can be, we have calculated a few scenarios based on the pay-per-click rates on the targeted sites, using public information available for the advertisement networks that are being used.

  • Heyos.com – between €0.10 and €0.11 per click.
  • Simply.com – a minimum of €0.20 per click
  • Google AdSense – between €0.35 and €3, depending on the cost of the AdWord at the time.
  • Arubamediamarketing.it – this site functions similarly to Google in that words are valued depending upon demand. It can be estimated at an average of €0.15 per click.

Note: Simply.com would, however, like to point out that their network of publishers are carefully managed on a daily basis and abide by strict quality control measures (Simply's Brand Protection Policy) to reduce the possibility of this type of fraudulent activity from happening.

By using the above estimations, this amounts to a potential profit of €0.80 for every page that has been reloaded where all of the advertisements have been clicked.

Furthermore, as has been alluded to earlier, it is worth noting that the Trojan clicks every link on the page, including an embedded link within the profile image of each member of the group of friends on the current profile. The number of friends varies, but is typically between three and five, thus maximizing the odds of cycling through further advertisement campaigns on the profile pages of the fake friends. These "friends" are generally other profiles that have been created by the scammers – an efficient way to ensure subsequent clicking activity for the Trojan.

The Trojan resumes this process using a variable time interval, for example, repeating approximately every 15 minutes. This would give a high-end estimated return of:

5 profile loads (number of fake friends on the page) x (€0.80 average return per page reload) x 96 reloads/day (a reload every 15 minutes) = €384 per day

This figure appears very high – and it is. It is probably the maximum amount a scammer could hope to receive from a Trojan residing on one compromised computer.

Moreover, most advertisement networks have limitations on how many times a single IP can click through to individual advertisement campaigns during a 24-hour period, which makes it difficult to accurately estimate. But even if the 24-hour limit for a unique IP address to click on a particular advertisement is set to one (i.e., the low-end estimate), the entire process still proves quite profitable. Thus far, we have observed four advertisers on each page. Let us assume that at a minimum, each of these advertisers has one active campaign per day - that's approximately €3 for every computer that has been compromised by this threat. Through further testing, we have also observed that each advertiser has two or three active campaigns. Adjusting for this, it can be estimated that the advertisers are generating approximately €10 profit for every compromised computer each day. If the threat existed on only 100 computers, the author could potentially make between €300 and €1,000 per day. Such figures certainly go a long way to explain why click fraud is such big business.

Below, we take a closer look at some of the sites we have discovered embedded in the actual code of Trojan.Clickalone.

The above image is a standard search on the bogus Quickfriendfinder.com site. It looks like a normal dating profile search, doesn’t it? Well, it would if it wasn’t for the fact that most of these profiles are found hard-coded inside the Trojan itself. Also, there are only a handful of male and female profiles and the majority of those are also included directly in the Trojan source code. But it is worth mentioning that the appearance of the website is excellent and professionally designed.

The main reason for the professional appearance of the site would probably be to avoid detection by advertisement networks. If someone were to investigate this website for potential fraud, they would see what appears to be a genuinely legitimate website. They may then, perhaps, be fooled into allowing this actual malpractice to continue a little bit longer. Hopefully (from the perspective of the scammers) long enough to generate a sizeable profit.

The genuine appearance of the site may even attract "real" people to register, providing the authors with an even larger IP target audience for the advertisement networks and the site itself, further muddying the waters for anyone trying to investigate it.

Luckily, the Trojan code provides an insight into how this process works, including references to other similar sites and thus giving a clearer overall picture of the goals of the creators of the threat. Without this insight, it might have been possible for these "professional" scam sites to exist unnoticed for an extended period of time. The following sites are directly connected and comprise a group of fake dating/social network/blog websites:

  • Gaydate4u.com (inaccessible at the time of writing)
  • Hotguysandgirls.co.za
  • Hotlove.bg
  • Michona.com
  • Randevu.us

A quick look at Michona.com reveals that the top profiles are either identical twins with a hive mind or else they are just artificially created:

Note that the users all created their profile at the same time, as well as having the same height, same activity date, and same basic profile setup. The pictures, however, are also found on Randevu.us – another Trojan fake dating website – and presumably more sites too. It all points to quite an elaborate, ongoing, and lucrative click fraud scam.