Koobface Gang Redirects Web Traffic To Fuel Pay-per-Click Profits

The group behind the Koobface is back, and they are reinventing themselves to take advantage of pay-per-click advertising, according to Trend Micro.

The Koobface developers updated their botnet framework with a “sophisticated” traffic-direction system (TDS) that handles traffic referenced to their affiliate sites, Trend Micro researchers reported. They have also added components to help increase the amount of Internet traffic, “which translates to even bigger profit”, wrote Jonell Baltazar, senior threat researcher at Trend Micro, on the company’s TrendLabs Malware Blog.

It appears that the TDS may also be offered as a service to others, according to Trend Micro.

Re-routing through ad sites

The TDS re-routes traffic to advertising sites from which they earn referral money or to several of their affiliate sites. Websites relying on referrals from advertising and affiliate sites earn more money when overall Internet traffic to their sites increases, according to Baltazar.

“TDS creation definitely provided the Koobface gang a means to more efficiently target celebrity fans, online daters, casual porn surfers and car enthusiasts,” said Baltazar.

The group created and registered email addresses using Yahoo’s free Webmail service, according to Trend Micro. With these email addresses, they could then generate new accounts on Google and various social-networking sites, such as Twitter, Tumblr and Blogger. The domains for the various blogs contained words such as “news” or “2011 news”, and contained blog posts with pictures of celebrities, weddings, tattoos and cars culled from Google’s image search, according to Trend Micro.

Links to these posts were shared on various social networks to encourage people to click and view the fake blog content. TDS tracks the number of visits coming from various links around the Web and redirects users to other affiliate sites. The botnet makes money from the clicks victims make while browsing, as well as from the total traffic generated, according to Baltazar.

The Koobface gang also actively spread related keywords on the Web to promote the blog posts. “The Koobface gang is clearly still up to no good and will most probably continue victimising users,” Baltazar said.

Profitable diversions

The group is thought to have made more than $2 million (£1.3m) between June 2009 and June 2010 through pay-per-click and pay-per-install affiliate programmes pushing fake antivirus software onto unsuspecting users, according to Information Warrior Monitor (IWM), a joint venture backed by researchers from the SecDev Group and the Citizen Lab in the Munk School of Global Affairs at the University Toronto.

When unsuspecting users clicked on a Koobface link, they were redirected to one of the provided advertisement links instead of their intended destination, IWM researchers wrote in their whitepaper last fall.

Koobface was first spotted in December 2008, and has been making the rounds on Facebook, MySpace and Twitter. As the malware proliferated, the operators of the botnet kept building new countermeasures to stay a step ahead of security researchers; these measures included a “banlist” of IP addresses that are forbidden from accessing Koobface servers and a tool to ensure the most updated versions of the malware was running.

The operators also monitored their links with the Google Safe Browsing API to check whether the URLs have been flagged as being malicious, and collected statistics such as the number of malware installations and the speed and availability of the Web servers hosting their landing pages, IMW found.