By: Julien Sobrier

Elaborate Scam For Mother's Day

Phishing

Mother's Day is coming soon. As for any big event, attackers and spammers are using Blackhat Search Engine Optimization (SEO) to lure users to their site.

I stumbled upon a rather elaborate scam involving tens of sites, and multiple redirections. And this time, the people getting scammed out of their money are not the user but websites paying for advertising. A US college website has been hacked. A Wodpress blog has been added in a separate folder (/gd).
 

Blog post inserted on hacked website


This blog contains thousands of posts about Mother's Days. The hackers have used all the usual SEO techniques: keyword stuffing, pages focused on 2-3 keywords, multiple cross-links with keywords as content, light pages (lot of text, no images, few Javascript and CSS code, etc.)

 

 

 

 

Page with links to all posts


There is no link to this blog on the main website. But it shows up in searches for "Mother's Day 2010." If you visit the URL of a post directly, the page contents are visible. But if you click on a search result from Google, you get redirected to a different site: trraf.com. This is the same behavior we saw for the fake antivirus pages. However, this one is much more complex. traff.com is used to redirect the user to another website: rosecrane.com.

 

 

 

 

rosecrane.com "search engine"


This is where the scam really occurs. The links do not point directly to the shown website. Instead, each link redirect to a server on a different IP address. These servers then redirects the user to an advertising website, bidsystem.com, which finally redirects the user to the advertised site. From their website, "BidSystem is a Cost-Per-Click (CPC) ad network". For webmasters, this network is similar to Google Adwords: they get paid every time a user clicks on an ad on their website.

To hide the volume of traffic coming from the "Search engine" from BidSystem, several servers are used as intermediary: the ad network thinks users have clicked on ads on multiple different sites. The spammers are tricking the users into coming to their page, and clicking on advertisements disguised as search results. This scams the advertisers by sending them unqualified traffic, that is users that are not interested in their products but where tricked into clicking of fake links, while hiding their shady business from the add network.

The advertisers are paying a premium for bad traffic, giving away money to the scammer through their ad network. Note that also the ad network may be unaware of the scam, they too profit from it by taking a fee on each click.

This scam invloves just 2 clicks from the users, but a lot of intermediates. Here is the path the unwilling user is going through (showing the user clicks, and the transparent browser redirections)
google.com click => .edu/gd/ transparent => trraf.com transparent => rosecrane.com click => /go.php transparent => kc.mv.bidsystem.com transparent => advertised site

I have alerted the webmaster of the hacked college site. The fake blog has been brought down.

-- Julien

Learn more about Zscaler.