Thanks to the free, commercial availability of mass Web site hacking tools, in combination with hundreds of thousands of misconfigured and unpatched Web sites, blogs and forums currently susceptible to exploitation, cybercriminals are successfully monetizing the compromise process. They are setting up iFrame based traffic E-shops and offering access to hijacked legitimate traffic to be later on converted to malware-infected hosts.
Despite the fact that the iFrame traffic E-shop that I’ll discuss in this post is pitching itself as a “legitimate traffic service”, it’s also explicitly emphasizing on the fact that iFrame based traffic is perfectly suitable to be used for Web malware exploitation kits. Let’s take a closer look at the actual (international) underground market ad, and discuss the relevance of these E-shops in today’s modern cybercrime ecosystem.
Sample screenshot of the (international) undeground market ad:
The PayPal and Bitcoin accepting service offers 5,000 visits for $15, 50,000 visits for $100 and 100,000 visits for $175, as well as geolocated traffic consisting of American, French, British and Canadian visitors.
The E-shop opens up two possibilities for abuse:
- directly embedding exploits and malware serving iFrame URLs – client-side exploit serving URLs can be directly embedded in the form of iFrames on the hacked Web sites that the cybercriminal behind the service has access to, potentially exposing its visitors to the malicious payload served by the service’s customers
- ‘visual social engineering’ campaigns displayed at Adult Web sites – a typical campaign could take advantage of the same ‘instant action provoking’ visual social engineering campaigns that are typical for PUA (Potentially Unwanted Application) campaigns, in the context of featuring appealing ads mimicking popular products, demanding urgent reaction, or promising a reward for clicking on them
We’re actively monitoring this underground market segment, and will continue profiling cybercrime-friendly traffic E-shops, raising more awareness on a highly popular traffic acquisition tactic within the cybercrime ecosystem.