Traffbiz: A new malicious twist on affiliate partnerka schemes?

Filed Under: Malware, SophosLabs

TraffbizWebsite owners have to pay for their websites to be hosted and can easily be tempted to monetize their sites by joining affiliate schemes that pay per click (ppc) or pay per view (ppv). Typically, these schemes promise some dollar amount for thousands of clicks or views.

Some of these affiliate schemes are legitimate, but others are not.

Affiliate web-based malware represents the darker side of these affiliate schemes and is not a new thing - indeed we have been investigating it for at least four years.

The security industry, search engines and independent researchers - such as Stop Malvertising - have been working hard to combat the problem.

YandexLast week, however, we were contacted by the popular Russian search engine Yandex, a technology partner of ours, to help them combat Traffbiz.

Traffbiz is what you might call a bad actor. Not in the Keanu Reeves sense, but in the economics sense. Information about Traffbiz is a little hard to find if you are not comfortable reading Russian. (See these two, Russian-language articles about Traffbiz. Fortunately, the web has online translation services).


What is happening?
Traffbiz are promising webmasters approximately $1 for every 1000 page views (ppv) they generate, and so webmasters are adding code like this to their webpages:

Counter code

The five digit code in the middle of the URL is a unique tracker id, specific to each affiliate.

The code appears to load a script called counter[0-9]?.jpg. If you manually download the file you may see an image (It was a PNG image file last time I checked).

If you visit the site, monitoring traffic with a tool like Fiddler, you will see another script being loaded.

Then a further script is loaded. Outside of Russia you will just get a clean file. But if you happen to be within Russia, you could find your computer loading a different malicious script like this:

This script would then load a Blackhole exploit kit (Detected by Sophos as Troj/ExpJS-N).

This version of Troj/ExpJS-N targets Russian users, by hitting them with banking trojans.

It should be noted that the present attack is one of the first we have seen that seemingly deliberately targets Russian citizens.

If you would like to know more about Web-based affiliate malware then read my paper and slides, courtesy of Virus Bulletin.

To find out more about Russian affiliate (also known as Partnerka) schemes, a must read is Dmitry Samosseiko's paper "The Partnerka -- what is it, and why should you care?".

, , ,

You might like

2 Responses to Traffbiz: A new malicious twist on affiliate partnerka schemes?

  1. lewis Paul · 1321 days ago

    interesting read, i keep hearing more and more about this blackhole exploit pack and strangely enough i can find several public sites using goole where sellers are renting on a per month basis. These are the people that need catching.

  2. kelvin · 1321 days ago

    Id like to ask are there any of these offers - ie get money for people viewing you, which ARE genuine and trustable? Are there advertising firms which pay when you get clicked? Does anyone know any real ones (names, links, etc which could be recommended for adequate security?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul O Baccas (aka pob) joined Sophos in 1997 after studying Engineering Science at Oxford University. After nearly 16 years, he has left Sophos to pastures new and will be writing as an independent malware researcher. Paul has: published several papers, presented at several Virus Bulletins and was a technical editor for "AVIEN Malware Defense Guide". He has contributed to Virus Bulletin and is a frequent contributor to the NakedSecurity blog.