New Click-Fraud Attack Is Stealthiest Yet

An anonymous reader sends news from The Washington Post's Security Fix blog of a new Trojan horse program that takes click fraud to the next level. The Trojan, dubbed FFsearcher by SecureWorks, was among the pieces of malware installed by sites hacked with the Nine-Ball mass compromise, which attacked some 40,000 Web sites this month. The Trojan takes advantage of Google's "AdSense for Search" API, which allows Web sites to embed Google search results alongside the usual Google AdSense ads. (SecureWorks' writeup indicates that Yahoo search is targeted too, but the researchers saw no evidence if the malware redirecting Yahoo searches.) While most search hijackers give themselves away on the victim's machine by redirecting the browser through some no-name search engine, FFsearcher "...converts every search a victim makes through Google.com, so that each query is invisibly redirected through the attackers' own Web sites, via Google's Custom Search API. Meanwhile, the Trojan manipulates the victim's PC and browser so that the victim never actually sees the attacker-controlled Web site that is hijacking the search, but instead sees the search results as though they were returned directly from Google.com (and with Google.com in the victim browser's address bar, not the address of the attacker controlled site). Adding to the stealth is the fact that search results themselves aren't altered by the attackers, who are merely going after the referral payments should victims click on any of the displayed ads. What's more, the attackers aren't diverting clicks or ad revenue away from advertisers or publishers, as in traditional click fraud: They are simply forcing Google to pay commissions that it wouldn't otherwise have to pay." If FFSearcher were the only piece of malware on the machine, it would have a better chance of staying under the radar.

Does this affect all browsers?

[BitterOak]

The article mentions that both IE and Firefox are vulnerable, but doesn't talk about other browsers. It also doesn't say if it affects current versions, or unpatched browsers only. Will security patches for IE and Firefox be coming soon?

How the server gets infected?

[Krneki]

I can't find how the server gets infected. Is it Windows, Linux, Apache, IIS, ... ?

What part is to blame?

Interesting Point

[Demonantis]

Who would be liable for the bug? Since its dlls that are affected Microsoft would have to fix it. The thing is why should they? Their customers are not affected terribly. It is not technically fraud because it is not really misrepresenting what it presents. Google still benefits because of the adsense charges. It would be interesting to see who wants to fix this.

Detection Should be Trivial

[phantomcircuit]

Alright and then google almost immediately bans that person for adsense.

Wow brilliant plan guys.