Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2015
    S M T W T F S
    « Mar    
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Feike Hacquebord (Senior Threat Researcher)

    The WikiLeaks main domain,, currently redirects to The latter site is hosted on IP address registered to Heihachi Ltd. Heihachi Ltd. is known as a bulletproof, blackhat-hosting provider in Russia that is a safe haven for criminals and fraudsters. It hosts a long list of criminally related domains. Among these domains are banking fraud domains, carders’ (criminals who trade stolen credit card information) websites, malware sites, and phishing sites. No matter what your political view is, this is rather disturbing.

    We at Trend Micro are committed to protecting our customers against threats on the Internet. The Trend Micro™ Smart Protection Network™ automatically assigns a very low reputation score to domain name not because of political controversy but because of actual facts about the bad neighborhood where this domain name is hosted. To give you an idea, here are some illustrious neighbors:,, (phishing), and

    We don’t know whether has perhaps been compromised or whether WikiLeaks is knowingly getting services from a blackhat provider. Either way, we assess the domain as highly risky and we do not recommend visiting this site as long as it is hosted by Heihachi Ltd.


    A group of hackers recently published detailed information from an underground credit card company. On July 23, an anonymous group claimed to have compromised a server of an online credit card processor company. At that time, however, the extent of the compromise was unclear. Looking at the data that was published leads us to believe that the compromise is very plausible.

    Click for larger view

    The leaked data includes employee emails as well as recorded phone calls. A particular recorded conversation discussed the various ways of defrauding major credit card companies. Another conversation discussed Fethard, a payment service that allows anonymous payments to be made and that is often associated with money laundering and other cybercriminal activities.

    Furthermore, there are assumptions that one of the people behind the credit card processor company also serves as one of the Fethard’s owners. He has likewise been associated with a spam forum called In 2007, a large sum of money disappeared from Fethard’s funds. This has undoubtedly created problems for Fethard and has possibly pulled the mother company deeper into the cybercrime business.

    The compromised credit card company that functions as Fethard’s mother company is infamous for processing payments for FAKEAV, pharmaceuticals on spam sites, extreme pornography, and cheap MP3s. Its official headquarters is in Amsterdam in the Netherlands. However, it only has a handful of Dutch employees and the actual work is done in Russia and Latvia. The company has legitimate customers in Russia as well.

    This hacking incident would probably make a lot of cybercriminals nervous. Unfortunately, the incident also puts the personal data of legitimate customers and of many ordinary Russians at risk.

    Special thanks to all threat researchers for additional information in this post.


    This is the second part of a two-part series on browser hijacking. The first part may be found here.

    Not all traffic brokers are as unscrupulous as Onwa Ltd. Legitimate traffic brokers, however, have to be fooled into thinking that they are dealing with a legitimate party. To do this, rogue traffic brokers like Onwa Ltd. often set up a website that suggests that the broker has been running a legitimate business for a long period of time. Fake search websites are set up. These fake search websites are supposed to drive real user traffic whereas, in reality, these only form intermediary steps for click-fraud from botnets.

    As these fake search engines do not get normal visitors and as advertisers may notice this, their Alexa rankings are sometimes artificially increased. This is done by bots that automatically access Alexa URLs that determine the number of visits to a site. In addition, rogue traffic brokers often split up fraudulent traffic into smaller parts so that it looks like the traffic is coming from many different sources whereas, in reality, the vast majority of the clicks come from only a handful of botnets. If an upstream traffic buyer detects fraud, the rogue traffic broker can put the blame on a rogue affiliate and can filter one of the feeds. The cybercriminal group will thus lose only a small part of its revenue instead of losing everything.

    Browser hijackers are a noisy type of malware. Victims will soon notice that something is wrong once they see unexpected redirections. Therefore, the average life expectancy of the bots is relatively low. Figure 1 shows the life expectancy of a single bot based on historical data we were able to collect. In this case, the life expectancy of any single bot typically fluctuates between 6 and 12 days.

    To keep the size of the botnet intact, the bot herders need to constantly infect new systems. Figure 2 shows the number of new systems added to the botnet discussed here every day. Tens of thousands of new systems are infected daily. More than 2 million computers have been infected with the browser hijacker so far this year and we expect this number to reach 4 million by the end of this year.

    The browser hijackers we have been looking at come with an additional DNS changer component that changes a system’s DNS settings to point to foreign servers. The DNS servers used are hard-coded into the malware. We found that every day, the gang spreads a new malware sample that changes systems’ DNS settings to a unique pair of foreign servers.

    These servers start to resolve domain names to malicious IP addresses only after a machine has been infected for about a week. We believe that this is an attempt to extend the life span of the bots. When the browser hijacker component is removed from an infected computer, the DNS changer may still be present so the bot can still be used to hijack traffic with DNS tricks. The life span of the bots thus gets significantly enhanced.

    We expect browser hijackers to become more advanced and resilient in the future. Advanced tricks like replacing legitimate ads with foreign ones already exist today. The botnet discussed in this blog replaces Double Click ads with Clicksor ads once the rogue DNS component is activated. This is a form of stealth click-fraud that is difficult to detect on Double Click’s part. However, in this case, we believe there is no intermediate party between Clicksor and the cybercrime gang. We believe Clicksor should be able to detect this fraud. However, if rogue middlemen are used, detecting this becomes much more difficult.

    For users concerned about browser attacks, our free tool—Trend Micro Browser Guard—can be downloaded from

    Posted in Botnets | Comments Off

    Most cybercrime gangs are not interested in just making a quick profit or in retiring early. They treat cybercrime as a serious and lucrative business venture and are happy to patiently expand their criminal networks while trying to hide their malicious activities from the rest of the world. In this blog post, we discuss how a criminal network may earn just a couple of dollars from each victim. However, by victimizing many users, it can earn millions of dollars in profit annually. These activities are based on a business model that involves rogue traffic brokers and defrauding reputable brand names.

    The networks these cybercriminals use can consist of more than 100 servers that are hosted in various data centers around the world. Some Internet gangs have millions of dollars in liquid assets, which enables them to make substantial investments in new criminal activities that promise huge returns. The collateral damage their activities cause is thus huge.

    Figure 1 shows the size of a particular botnet between March 2010 and the end of July 2010. As shown, the botnet’s size has fluctuated over time; it currently comprises around 150,000 bots. This is not a huge botnet but it still generates multimillion dollars in revenue per year.

    Browser hijacker Trojans refer to a family of malware that redirects their victims away from the sites they want to visit. In particular, search engine results are often hijacked by this type of malware. A search on popular search engines like Google, Yahoo!, or Bing still works as usual. However, once victims click a search result or a sponsored link, they are instead directed to a foreign site so the hijacker can monetize their clicks.

    Browser hijackers are popular because search result clicks convert well. It is a lucrative and an easy way to capitalize on the success of legitimate search engines. With a network of 150,000 bots, gangs can make several millions of U.S. dollars every year from hijacking search results alone. The price per stolen click strongly depends on the keywords used. We have seen an average of US$0.01–0.02 per click although this rises to more than US$2 dollars for words or phrases like “home-based business opportunities” or “loans.” For the earnings of a hijacking botnet that has hijacked more than 1 million clicks in one day—July 20, 2010—see the chart below.

    To monetize the stolen clicks, the hijacker usually sells the fraudulent clicks collected to a traffic broker. This broker resells the traffic again to legitimate parties like Yahoo!, Google, or For example, we have seen that Yahoo! search result clicks were resold back to Yahoo! via an intermediate traffic broker. In another example, stolen Google clicks were resold to LookSmart.

    Selling stolen traffic to legitimate parties like Google, Overture (Yahoo!), or LookSmart is not trivial, however, as these companies have advanced tools to detect fraud. Therefore, most traffic hijackers make use of a broker, which collaborates with them to optimize their traffic feeds and to find the best buyers. Some traffic brokers can’t be trusted and are part of fraudulent schemes themselves. For example, a traffic broker called “Onwa Ltd.” based out of St. Petersburg in Russia must have full knowledge of the fraudulent nature of the traffic it resells. This is because the broker writes and sells back-end software for obscure, fake search engines that form a facade for click-fraud. (Onwa Ltd. also has shell companies in the United Kingdom and Seychelles.) See figure 2 for an example.

    Click for larger view

    In addition, Onwa Ltd. has also set up its own infrastructure for spoofed Google websites. This particular broker has been around since at least 2005 and, possibly, even as early as 2003. The other company names this group uses include “Uttersearch,” “RBTechgroup,” and “Crossnets.” One of their corporate pages is shown in Figure 3.

    Click for larger view

    This is the first part of a two-part series on browser hijacking. Part Two, entitled “The Scale of the Threat,” may be found here.

    Posted in Botnets | Comments Off

    Click for larger viewTartu, Estonia is the hometown of an Internet company that, from the outside, looks just like any other legitimate Internet service provider (ISP). On its website (see Figure 1), the company lists services such as hosting and advertising. According to publicly available information, it posted more than US$5 million in revenue and had more than 50 employees in 2007.

    In reality, however, this company has been serving as the operational headquarters of a large cybercrime network since 2005. From its office in Tartu, employees administer sites that host codec Trojans and command and control (C&C) servers that steer armies of infected computers. The criminal outfit uses a lot of daughter companies that operate in Europe and in the United States. These daughter companies’ names quickly get the heat when they become involved in Internet abuse and other cybercrimes. They disappear after getting bad publicity or when upstream providers terminate their contracts.

    Some of the larger daughter companies survived up to 5 years, but got dismantled after they lost internet connectivity in a data center in San Francisco, when webhosting company Intercage went dark in September 2008, and when ICANN decided to revoke the company’s domain name registrar accreditation.

    This caused a major blow to the criminal operation. However, it quickly recovered and moreover immediately started to spread its assets over many different webhosting companies. Today we count about 20 different webhosting providers where the criminal Estonian outfit has its presence. Besides this, the company own two networks in the United States.

    We gathered detailed data on the cyber crime ring from Tartu and found that they control every step between driving traffic to sites with Trojans and exploiting infected computers. Even the billing system for fake antivirus software that is being pushed by the company is controlled from Tartu. An astonishing number of 1,800,000 Internet users were exposed to a bogus “you are infected” messages in July 2009 when they tried to access high traffic pornography sites.

    Click for larger view Click for larger view

    For a detailed analysis, please read our whitepaper: A Cybercrime Hub available at TrendWatch.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice