Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Zero-Day Alerts

  • Hacking Team Leak

  • Recent Posts

  • Calendar

    July 2015
    S M T W T F S
    « Jun    
  • Email Subscription

  • About Us

    Author Archive - Feike Hacquebord (Senior Threat Researcher)

    In this blog post, we present concrete evidence that the recent compromise of Dutch certification authority DigiNotar was used to spy on Iranian Internet users on a large scale.

    We found that Internet users in more than 40 different networks of ISPs and universities in Iran were met with rogue SSL certificates issued by DigiNotar. Even worse, we found evidence that some Iranians who used software designed to circumvent traffic censorship and snooping were not protected against the massive man-in-the-middle attack.

    Rogue SSL Certificates for Man-in-the-Middle Attacks

    SSL certificates are used for secure Web sessions like Internet banking and Google’s Gmail. Certification authorities issue and check the authenticity of SSL certificates. In July 2011, hackers managed to create rogue SSL certificates for hundreds of domain names, including and even the entire .com top-level domain by breaking into the systems of certification authority DigiNotar in the Netherlands. This is very dangerous, as these rogue SSL certificates can be used in man-in-the-middle attacks wherein encrypted secure Web traffic can be read by a third party.

    On August 29, 2011, the rogue SSL certificate issued by DigiNotar was discovered. This rogue certificate makes snooping on Gmail traffic possible in man-in-the-middle attacks. Trend Micro has concrete evidence that these man-in-the-middle attacks indeed happened in Iran on a large scale.

    Our evidence is based on data that the Trend Micro Smart Protection Network has collected over time. The Trend Micro Smart Protection Network constantly analyzes data from the feedback of millions of customers around the world, including what domain names are accessed from which parts at a particular time. This feedback data makes it possible to protect against newly seen attack vectors in the blink of an eye.

    Read the rest of this entry »


    The WikiLeaks main domain,, currently redirects to The latter site is hosted on IP address registered to Heihachi Ltd. Heihachi Ltd. is known as a bulletproof, blackhat-hosting provider in Russia that is a safe haven for criminals and fraudsters. It hosts a long list of criminally related domains. Among these domains are banking fraud domains, carders’ (criminals who trade stolen credit card information) websites, malware sites, and phishing sites. No matter what your political view is, this is rather disturbing.

    We at Trend Micro are committed to protecting our customers against threats on the Internet. The Trend Micro™ Smart Protection Network™ automatically assigns a very low reputation score to domain name not because of political controversy but because of actual facts about the bad neighborhood where this domain name is hosted. To give you an idea, here are some illustrious neighbors:,, (phishing), and

    We don’t know whether has perhaps been compromised or whether WikiLeaks is knowingly getting services from a blackhat provider. Either way, we assess the domain as highly risky and we do not recommend visiting this site as long as it is hosted by Heihachi Ltd.


    A group of hackers recently published detailed information from an underground credit card company. On July 23, an anonymous group claimed to have compromised a server of an online credit card processor company. At that time, however, the extent of the compromise was unclear. Looking at the data that was published leads us to believe that the compromise is very plausible.

    Click for larger view

    The leaked data includes employee emails as well as recorded phone calls. A particular recorded conversation discussed the various ways of defrauding major credit card companies. Another conversation discussed Fethard, a payment service that allows anonymous payments to be made and that is often associated with money laundering and other cybercriminal activities.

    Furthermore, there are assumptions that one of the people behind the credit card processor company also serves as one of the Fethard’s owners. He has likewise been associated with a spam forum called In 2007, a large sum of money disappeared from Fethard’s funds. This has undoubtedly created problems for Fethard and has possibly pulled the mother company deeper into the cybercrime business.

    The compromised credit card company that functions as Fethard’s mother company is infamous for processing payments for FAKEAV, pharmaceuticals on spam sites, extreme pornography, and cheap MP3s. Its official headquarters is in Amsterdam in the Netherlands. However, it only has a handful of Dutch employees and the actual work is done in Russia and Latvia. The company has legitimate customers in Russia as well.

    This hacking incident would probably make a lot of cybercriminals nervous. Unfortunately, the incident also puts the personal data of legitimate customers and of many ordinary Russians at risk.

    Special thanks to all threat researchers for additional information in this post.


    This is the second part of a two-part series on browser hijacking. The first part may be found here.

    Not all traffic brokers are as unscrupulous as Onwa Ltd. Legitimate traffic brokers, however, have to be fooled into thinking that they are dealing with a legitimate party. To do this, rogue traffic brokers like Onwa Ltd. often set up a website that suggests that the broker has been running a legitimate business for a long period of time. Fake search websites are set up. These fake search websites are supposed to drive real user traffic whereas, in reality, these only form intermediary steps for click-fraud from botnets.

    As these fake search engines do not get normal visitors and as advertisers may notice this, their Alexa rankings are sometimes artificially increased. This is done by bots that automatically access Alexa URLs that determine the number of visits to a site. In addition, rogue traffic brokers often split up fraudulent traffic into smaller parts so that it looks like the traffic is coming from many different sources whereas, in reality, the vast majority of the clicks come from only a handful of botnets. If an upstream traffic buyer detects fraud, the rogue traffic broker can put the blame on a rogue affiliate and can filter one of the feeds. The cybercriminal group will thus lose only a small part of its revenue instead of losing everything.

    Browser hijackers are a noisy type of malware. Victims will soon notice that something is wrong once they see unexpected redirections. Therefore, the average life expectancy of the bots is relatively low. Figure 1 shows the life expectancy of a single bot based on historical data we were able to collect. In this case, the life expectancy of any single bot typically fluctuates between 6 and 12 days.

    To keep the size of the botnet intact, the bot herders need to constantly infect new systems. Figure 2 shows the number of new systems added to the botnet discussed here every day. Tens of thousands of new systems are infected daily. More than 2 million computers have been infected with the browser hijacker so far this year and we expect this number to reach 4 million by the end of this year.

    The browser hijackers we have been looking at come with an additional DNS changer component that changes a system’s DNS settings to point to foreign servers. The DNS servers used are hard-coded into the malware. We found that every day, the gang spreads a new malware sample that changes systems’ DNS settings to a unique pair of foreign servers.

    These servers start to resolve domain names to malicious IP addresses only after a machine has been infected for about a week. We believe that this is an attempt to extend the life span of the bots. When the browser hijacker component is removed from an infected computer, the DNS changer may still be present so the bot can still be used to hijack traffic with DNS tricks. The life span of the bots thus gets significantly enhanced.

    We expect browser hijackers to become more advanced and resilient in the future. Advanced tricks like replacing legitimate ads with foreign ones already exist today. The botnet discussed in this blog replaces Double Click ads with Clicksor ads once the rogue DNS component is activated. This is a form of stealth click-fraud that is difficult to detect on Double Click’s part. However, in this case, we believe there is no intermediate party between Clicksor and the cybercrime gang. We believe Clicksor should be able to detect this fraud. However, if rogue middlemen are used, detecting this becomes much more difficult.

    For users concerned about browser attacks, our free tool—Trend Micro Browser Guard—can be downloaded from

    Posted in Botnets | Comments Off on Making a Million, Part Two—The Scale of the Threat

    Most cybercrime gangs are not interested in just making a quick profit or in retiring early. They treat cybercrime as a serious and lucrative business venture and are happy to patiently expand their criminal networks while trying to hide their malicious activities from the rest of the world. In this blog post, we discuss how a criminal network may earn just a couple of dollars from each victim. However, by victimizing many users, it can earn millions of dollars in profit annually. These activities are based on a business model that involves rogue traffic brokers and defrauding reputable brand names.

    The networks these cybercriminals use can consist of more than 100 servers that are hosted in various data centers around the world. Some Internet gangs have millions of dollars in liquid assets, which enables them to make substantial investments in new criminal activities that promise huge returns. The collateral damage their activities cause is thus huge.

    Figure 1 shows the size of a particular botnet between March 2010 and the end of July 2010. As shown, the botnet’s size has fluctuated over time; it currently comprises around 150,000 bots. This is not a huge botnet but it still generates multimillion dollars in revenue per year.

    Browser hijacker Trojans refer to a family of malware that redirects their victims away from the sites they want to visit. In particular, search engine results are often hijacked by this type of malware. A search on popular search engines like Google, Yahoo!, or Bing still works as usual. However, once victims click a search result or a sponsored link, they are instead directed to a foreign site so the hijacker can monetize their clicks.

    Browser hijackers are popular because search result clicks convert well. It is a lucrative and an easy way to capitalize on the success of legitimate search engines. With a network of 150,000 bots, gangs can make several millions of U.S. dollars every year from hijacking search results alone. The price per stolen click strongly depends on the keywords used. We have seen an average of US$0.01–0.02 per click although this rises to more than US$2 dollars for words or phrases like “home-based business opportunities” or “loans.” For the earnings of a hijacking botnet that has hijacked more than 1 million clicks in one day—July 20, 2010—see the chart below.

    To monetize the stolen clicks, the hijacker usually sells the fraudulent clicks collected to a traffic broker. This broker resells the traffic again to legitimate parties like Yahoo!, Google, or For example, we have seen that Yahoo! search result clicks were resold back to Yahoo! via an intermediate traffic broker. In another example, stolen Google clicks were resold to LookSmart.

    Selling stolen traffic to legitimate parties like Google, Overture (Yahoo!), or LookSmart is not trivial, however, as these companies have advanced tools to detect fraud. Therefore, most traffic hijackers make use of a broker, which collaborates with them to optimize their traffic feeds and to find the best buyers. Some traffic brokers can’t be trusted and are part of fraudulent schemes themselves. For example, a traffic broker called “Onwa Ltd.” based out of St. Petersburg in Russia must have full knowledge of the fraudulent nature of the traffic it resells. This is because the broker writes and sells back-end software for obscure, fake search engines that form a facade for click-fraud. (Onwa Ltd. also has shell companies in the United Kingdom and Seychelles.) See figure 2 for an example.

    Click for larger view

    In addition, Onwa Ltd. has also set up its own infrastructure for spoofed Google websites. This particular broker has been around since at least 2005 and, possibly, even as early as 2003. The other company names this group uses include “Uttersearch,” “RBTechgroup,” and “Crossnets.” One of their corporate pages is shown in Figure 3.

    Click for larger view

    This is the first part of a two-part series on browser hijacking. Part Two, entitled “The Scale of the Threat,” may be found here.

    Posted in Botnets | Comments Off on Making a Million, Part One—Criminal Gangs, the Rogue Traffic Broker, and Stolen Clicks


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice