Cybercrime-friendly underground traffic exchanges help facilitate fraudulent and malicious activity – part two


By Dancho Danchev

The list of monetization tactics a cybercriminal can take advantage of, once they manage to hijack a huge portion of Web traffic, is virtually limitless and is entirely based on his experience within the cybercrime ecosystem.

Through the utilization of blackhat SEO (search engine optimization), RFI (Remote File Inclusion), DNS cache poisoning, or direct impersonation of popular brands in spam/phishing campaigns tactics, on a daily basis, traffic is sold and resold for achieving a customer’s or a seller’s fraudulent/malicious objectives, and is then most commonly converted to malware-infected hosts.

In this post, I’ll profile two cybercrime-friendly iFrame traffic exchanges, with the second ‘vertically integrating’ by also offering spamming services, as well as services violating YouTube’s ToS (Terms of Service) such as likes, comments, views, favorites and subscribers on demand, with an emphasis on the most common ways through which a potential cybercriminal can abuse any such traffic exchange network.

More details:

Continue reading

Cybercrime-friendly underground traffic exchange helps facilitate fraudulent and malicious activity


By Dancho Danchev

Throughout the last couple of years, the persistent demand for geolocated traffic coming from both legitimate traffic exchanges or purely malicious ones — think traffic acquisition through illegally embedded iFrames — has been contributing to the growing market segment where traffic is bought, sold and re-sold, for the sole purpose of monetizing it through illegal means.

The ultimately objective? Expose users visiting compromised, or blackhat SEO-friendly automatically generated sites with bogus content, to fraudulent or malicious content in the form of impersonations of legitimate Web sites seeking accounting data, or client-side exploits silently served in an attempt to have an undetected piece of malware dropped on their hosts.

A recently spotted cybercrime-friendly underground traffic exchange service empowers cybercriminals with advanced targeting capabilities on per browser version basis, applies QA (Quality Assurance) to check their fraudulent/malicious domains against the most popular community/commercial based URL black lists, and ‘naturally’ we found evidence that it’s already been used to serve client-side exploits to unsuspecting users.

More details:

Continue reading

117,000 unique U.S visitors offered for malware conversion


By Dancho Danchev

In 2012 it’s becoming increasingly common for cybercriminals to apply basic quality assurance (QA) tactics to their campaigns. Next to QA, they also emphasize on campaign optimization strategies allowing them to harness the full potential of the malicious campaign.

Recently, I came across to an underground forum advertisement selling access to 117,000 unique U.S visitors — stats gathered over a period of 8 hours — for the purpose of redirecting them to a Black Hole web malware exploitation kit landing URL. The traffic aggregation taking place through black hat SEO (search engine optimization), is aiming to exploit a group of users known to have high purchasing power, namely, American citizens.

Are such underground market propositions offering traffic exchange deals gaining popularity, or are they just a fad? What’s the infection rate for 117,000 U.S based users redirected to a BlackHole exploits serving landing URL? Let’s find out.

More details:

Continue reading