Malicious Proxy Redirects SSL Google Traffic for 1 Million IPs

Online advertising is a multi-billion dollar business mostly ran by Google, Yahoo or Bing via AdSense-like programs. The current generation of clickbots such as the Redirector.Paco Trojan have taken abuse to a whole new level, burning through companies’ advertising budget at an unprecedented pace.

Bitdefender analyzed a clickfraud bot that currently operates on nearly one million computers worldwide. The bot tampers with the internet configuration settings in order to forward searches on popular search engines (Bing, Google, Yahoo) to a third party, malicious server controlled by cyber-criminals. This server would fetch search engine results and inject adverts that are configured to bring money to the botnet operators. By manipulating the ads, hackers get their publisher fee.

This particular campaign is mostly detrimental for private companies that pay for ad impression and clicks. Google’s AdSense for Search program places contextually relevant ads on custom search results pages and shares a portion of its advertising revenue with AdSense partners. In this particular case, the bot operator is using multiple publisher identities to operate as a Google AdSense partner and collect the money from clicks on poisoned search links.

While the infected user will not directly lose money, their search results may be poisoned as per the proxy server’s instructions. Because the behavior of the searches is mostly decided server-side, the cyber-criminals could at any point manipulate results to include links to phishing pages, exploit kits or ransomware. Basically, the cyber-criminals own the search results for the victim’s computer.

Redirector.Paco has been active in the wild starting mid-september 2014. During this period it has managed to infect more than 900000 IPs worldwide, mainly from India, Malaysia, Greece USA, Italy, Pakistan, Brazil and Algeria.

Find out how Redirector.Paco works HERE

Leave a Reply