July 6, 2012 By Dancho Danchev

117,000 unique U.S visitors offered for malware conversion

In 2012 it’s becoming increasingly common for cybercriminals to apply basic quality assurance (QA) tactics to their campaigns. Next to QA, they also emphasize on campaign optimization strategies allowing them to harness the full potential of the malicious campaign.

Recently, I came across to an underground forum advertisement selling access to 117,000 unique U.S visitors — stats gathered over a period of 8 hours — for the purpose of redirecting them to a Black Hole web malware exploitation kit landing URL. The traffic aggregation taking place through black hat SEO (search engine optimization), is aiming to exploit a group of users known to have high purchasing power, namely, American citizens.

Are such underground market propositions offering traffic exchange deals gaining popularity, or are they just a fad? What’s the infection rate for 117,000 U.S based users redirected to a BlackHole exploits serving landing URL? Let’s find out.

More details:

Screenshot of a sample statistics from a Black Hole exploit kit during a period of 8 hours:

The seller of the traffic has included a screenshot showing a 14% exploitation rate based on the 404,183 hits and 117,583 unique U.S visits. That’s primarily users with outdated third-party applications and browser plugins who are getting exploited by visiting blackhat SEO friendly content farms operated by the cybercriminals behind this underground market proposition.

For years, cybercriminals have been abusing legitimate traffic exchange marketplaces, next to coming up with their own underground alternatives where aggregated traffic is systematically exposed to client-side exploits and Internet scams. By using spam campaigns, malvertising and black hat SEO (search engine optimization) they’re capable of building traffic inventories consisting of millions of unique visitors.

Over time, I’ve observed a trend where the traffic aggregators are applying basic market segmentation techniques in an attempt to better tailor their market propositions to prospective buyers. For instance, in the past a cybercriminal will basically emphasize on volume, he’d be interested in buying as much traffic as possible. That trend is long gone.

A shift in quantity to quality 

In 2012, cybercriminals are looking to purchase traffic exclusively coming from a particular developed country with the idea to abuse the Internet connectivity of an Internet user known to have a high purchasing power. The most expensive traffic for the time being is for US and UK Internet visitors, followed by Australia, Germany and France based on the market propositions of several traffic aggregators.

We predict that over time, thanks to public and commercially available geolocation services, cybercriminals will start pitching traffic for a particular city, and shift away from offering traffic for a particular country only. This QA (quality assurance) tactic will most likely be abused by cybercriminals looking to buy inventories of unique users in a particular city in an attempt to better organize and manage a money mule recruitment network in a particular region.

In order to prevent exploitation by the Black Hole exploit kit, we advise end and corporate users ensure that they’re not running outdated third-party software and browser plugins, as the Black Hole exploit kit is currently exploiting outdated and already patched client-side vulnerabilities only.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button
true