Traffbiz: A new malicious twist on affiliate partnerka schemes?

pay per click

TraffbizWebsite owners have to pay for their websites to be hosted and can easily be tempted to monetize their sites by joining affiliate schemes that pay per click (ppc) or pay per view (ppv). Typically, these schemes promise some dollar amount for thousands of clicks or views.

Some of these affiliate schemes are legitimate, but others are not.

Affiliate web-based malware represents the darker side of these affiliate schemes and is not a new thing – indeed we have been investigating it for at least four years.

The security industry, search engines and independent researchers – such as Stop Malvertising – have been working hard to combat the problem.

YandexLast week, however, we were contacted by the popular Russian search engine Yandex, a technology partner of ours, to help them combat Traffbiz.

Traffbiz is what you might call a bad actor. Not in the Keanu Reeves sense, but in the economics sense. Information about Traffbiz is a little hard to find if you are not comfortable reading Russian. (See these two, Russian-language articles about Traffbiz. Fortunately, the web has online translation services).


What is happening?
Traffbiz are promising webmasters approximately $1 for every 1000 page views (ppv) they generate, and so webmasters are adding code like this to their webpages:

Counter code

The five digit code in the middle of the URL is a unique tracker id, specific to each affiliate.

The code appears to load a script called counter[0-9]?.jpg. If you manually download the file you may see an image (It was a PNG image file last time I checked).

If you visit the site, monitoring traffic with a tool like Fiddler, you will see another script being loaded.

Then a further script is loaded. Outside of Russia you will just get a clean file. But if you happen to be within Russia, you could find your computer loading a different malicious script like this:

This script would then load a Blackhole exploit kit (Detected by Sophos as Troj/ExpJS-N).

This version of Troj/ExpJS-N targets Russian users, by hitting them with banking trojans.

It should be noted that the present attack is one of the first we have seen that seemingly deliberately targets Russian citizens.

If you would like to know more about Web-based affiliate malware then read my paper and slides, courtesy of Virus Bulletin.

To find out more about Russian affiliate (also known as Partnerka) schemes, a must read is Dmitry Samosseiko’s paper “The Partnerka — what is it, and why should you care?”.