Instant Messaging Clickfraud? Hackers use Botnet Tactics in IM Land...

For quite some time, I've seen certain Botnets perform the following trick: install some garbage, and hijack the end user's homepage. The hijacked page usually contains nothing more than a bunch of adverts - and, should the curious end-user click them (which they inevitably will) the bad guys rake in the dough from whoever runs the Ad Network and the advertisers or whoever.

Now, automated drones are great, but eventually you will be caught out. Even the best auto-clickers aren't particularly brilliant. But what if you could organise a network of drones that weren't machines but actual people? What if you could do away with all that awful technical IRC jibber-jabber and run what is effectively a Bot-less Botnet? What if...you could take some code from last month, rejiggify it a little and launch IM infections from simply visiting a webpage in IE, as opposed to all the HEY LOL CLICK THIS nonsense you usually have to do?

Well, today's your lucky day, kids!

We've uncovered what looks to be a case of someone mangling a piece of fairly recent infection code to perform what is basically Botnet-style clickfraud, without the Botnet (or the automated clicks). Simply visit the bad guy website in IE, and whammo....you're spewing out IM infection links within minutes. Meanwhile, you'll find your homepage has been jacked, Botnet style, to a site stuffed with adverts.

Not just any old adverts, though - these guys have done their homework. Unlike the previous ads that I've seen served up by Botnets, these ones are targetted towards a specific kind of cancer. Namely, Mesothelioma.

Why? Because that particular word will have a much higher payout if clicked than, say, roflcopter or boobfest. And because the act of clicking is left in the hands of an actual human (as opposed to a drone), there is actually no guarantee anything will actually get clicked in the first place. In theory, this may resemble "normal" clickthrough traffic and not raise any suspicion. So not only is this guy getting rich quick, he's also kicked the Botnet clickfraud model into touch because

1) It's way, way harder to trace some random boob who has a ton of (partially) unconnected people shunting IM links all over the place. Try staying anonymous as a Botnet owner who just had the entire details of his server splattered across the net by Shadowserver.

2) No crappy drones that are liable to breakdown and / or super-insane CLICK IT ALL mania, which seems to happen a lot. Bad coding ftw! Also, there's no "traditional" forced, automated clicking - there's an element of random, human-touch chance involved instead which is kind of nifty.

3) Stealing a technique previously rooted in Botnets, blagging someone's IM code, combining the two together and launching IM infections from IE-webpage browsing (with no initial IM involvement needed to get the ball rolling) is just awesome. Awesomely bad, but awesome all the same. Top it off with cherries, ice cream and LOTS OF MONEY STEALING ACTION and you probably have the plot for Ocean's Eleven. Er, Twelve. I mean, Thirteen.

Um...yeah. I also particularly like the strangeness of starting an IM infection chain through something other than IM (like, a web-browser). I dunno, it just seems odd and makes strange buzzing sounds happen in my brain. What will be interesting to see is if some of the smaller Botnet guys ditch their technical woes and jump on the much-easier-to-maintain Instant Messaging Bandwagon to get their clickfraud kicks...

More Coverage: SecurityProNews Slashdot RealTechNews CVBT