Most cybercrime gangs are not interested in just making a quick profit or in retiring early. They treat cybercrime as a serious and lucrative business venture and are happy to patiently expand their criminal networks while trying to hide their malicious activities from the rest of the world. In this blog post, we discuss how a criminal network may earn just a couple of dollars from each victim. However, by victimizing many users, it can earn millions of dollars in profit annually. These activities are based on a business model that involves rogue traffic brokers and defrauding reputable brand names.
The networks these cybercriminals use can consist of more than 100 servers that are hosted in various data centers around the world. Some Internet gangs have millions of dollars in liquid assets, which enables them to make substantial investments in new criminal activities that promise huge returns. The collateral damage their activities cause is thus huge.
Figure 1 shows the size of a particular botnet between March 2010 and the end of July 2010. As shown, the botnet’s size has fluctuated over time; it currently comprises around 150,000 bots. This is not a huge botnet but it still generates multimillion dollars in revenue per year.
Browser hijacker Trojans refer to a family of malware that redirects their victims away from the sites they want to visit. In particular, search engine results are often hijacked by this type of malware. A search on popular search engines like Google, Yahoo!, or Bing still works as usual. However, once victims click a search result or a sponsored link, they are instead directed to a foreign site so the hijacker can monetize their clicks.
Browser hijackers are popular because search result clicks convert well. It is a lucrative and an easy way to capitalize on the success of legitimate search engines. With a network of 150,000 bots, gangs can make several millions of U.S. dollars every year from hijacking search results alone. The price per stolen click strongly depends on the keywords used. We have seen an average of US$0.01–0.02 per click although this rises to more than US$2 dollars for words or phrases like “home-based business opportunities” or “loans.” For the earnings of a hijacking botnet that has hijacked more than 1 million clicks in one day—July 20, 2010—see the chart below.
To monetize the stolen clicks, the hijacker usually sells the fraudulent clicks collected to a traffic broker. This broker resells the traffic again to legitimate parties like Yahoo!, Google, or Ask.com. For example, we have seen that Yahoo! search result clicks were resold back to Yahoo! via an intermediate traffic broker. In another example, stolen Google clicks were resold to LookSmart.
Selling stolen traffic to legitimate parties like Google, Overture (Yahoo!), or LookSmart is not trivial, however, as these companies have advanced tools to detect fraud. Therefore, most traffic hijackers make use of a broker, which collaborates with them to optimize their traffic feeds and to find the best buyers. Some traffic brokers can’t be trusted and are part of fraudulent schemes themselves. For example, a traffic broker called “Onwa Ltd.” based out of St. Petersburg in Russia must have full knowledge of the fraudulent nature of the traffic it resells. This is because the broker writes and sells back-end software for obscure, fake search engines that form a facade for click-fraud. (Onwa Ltd. also has shell companies in the United Kingdom and Seychelles.) See figure 2 for an example.
In addition, Onwa Ltd. has also set up its own infrastructure for spoofed Google websites. This particular broker has been around since at least 2005 and, possibly, even as early as 2003. The other company names this group uses include “Uttersearch,” “RBTechgroup,” and “Crossnets.” One of their corporate pages is shown in Figure 3.
This is the first part of a two-part series on browser hijacking. Part Two, entitled “The Scale of the Threat,” may be found here.