FFSearcher: A Stealthy Evolution in Click Fraud

Every so often, a new piece of malicious software comes along that introduces a subtle yet evolutionary technological leap, a quickly-mimicked shift that allows cyber crooks to be far more stealthy in plying their trade. According to research released last week, this happened most recently in the realm of click fraud, a rapidly growing problem that inflates online advertising costs for legitimate companies and ad networks. For years, hackers have used malicious software to perpetrate click fraud by hijacking the results displayed when users search for something online. The trouble is, these scams can be rather clumsy: Victims often figure out pretty quickly that something is wrong, usually because their searches are redirected to an unfamiliar search portal, as opposed to their regular default search provider. But a new Trojan horse program being distributed by tens of thousands of recently hacked Web sites hijacks search results so that Google.com users can scarcely tell that their Web searches are being funneled through third-party sites. Earlier this month, security experts at Websense warned that some 40,000 Web sites were hacked and seeded with code that bombards a visitor's PC with a virtual kitchen sink worth of browser exploits, all in an effort to install a Trojan horse program. Websense named this mass compromise "Nine-Ball," and the Trojan dropped on victimized PCs was thought to install a range of malicious software. Joe Stewart, director of malware research at SecureWorks, an Atlanta-based computer security firm, has found among the malware installed by the Nine-Ball Trojan was a click fraud Trojan that SecureWorks has nicknamed "FFsearcher," after one of the Web sites used in the scam (ffsearcher.com). According to Stewart, FFSearcher is capable of hijacking Google search engine results on both Internet Explorer and Firefox browsers. It takes advantage of Google's "Adsense for Search," application programming interface (API), which allows Web sites to embed Google search results alongside the usual Google AdSense ads. This Google Custom Search widget is used by tens of thousands of legitimate sites to generate ad revenue. For instance, let's say example.com uses this widget on its site, and someone browsing that site uses the built-in widget to search for some content. If that visitor then happens to click one of the ads displayed in the embedded search results, example.com will earn a small sum of money for that referral. Stewart said the authors of FFSearcher realized they could use a Trojan to convert every search a victim makes through Google.com, so that each query is invisibly redirected through the attackers' own Web sites, via Google's Custom Search API. Meanwhile, the Trojan manipulates the victim's PC and browser so that the victim never actually sees the attacker-controlled Web site that is hijacking the search, but instead sees the search results as though they were returned directly from Google.com (and with Google.com in the victim browser's address bar, not the address of the attacker controlled site). The beauty of this form of click fraud is that it is largely invisible to the victim: The search results themselves aren't altered by the attackers, who are merely going after the referral payments should victims click on any of the displayed ads. What's more, the attackers aren't diverting clicks or ad revenue away from advertisers or publishers, as in traditional click fraud: They are simply forcing Google to pay commissions that it wouldn't otherwise have to pay. "The attackers have worked out this clever scheme where they can force Google to shell out commissions they shouldn't have to," Stewart said. "They're giving the user exactly what Google would have given him, but the attackers are also able to skim a little off of Google's Adsense program in the process." Stewart said one of the few giveaways for the victim is that the hijacked results page does not display the total number of pages that contain the word or phrase for which the victim is searching. Yet, while victims may never get wise to the fact that their search results are being intercepted, other infections may alert the victim that something isn't right: FFSearcher appears to be only one of many pieces of malware installed by the Nine-Ball Trojan. SecureWorks identified several Web sites the attackers are using to funnel the hijacked searches, including i-web-search.com, ffsearcher.com, and my-web-way.com. Stewart said he also found at least two separate Adsense account numbers tied to those sites, accounts that would be credited with tiny commissions anytime someone with this Trojan on their PC clicked an ad displayed in the hijacked search results. A Google spokesperson confirmed that the company had deactivated the rogue Adsense accounts identified by SecureWorks. But Stewart said the FFsearcher Trojan allows the attackers to change both the sites that return the invisible Custom Search results and the Adsense accounts on-the-fly. "FFSearcher undoubtedly raises the bar for the fraud detection teams working at the major search engines, and it will be interesting to see how they combat it and other trojans using the same technique in the future," Stewart wrote, in the white paper on the Trojan, which is available at this link here.