How a click-jacking virus pays off for ad scammers

A stealthy virus used by an advertising click-fraud network generated more than $40,000 over a nine-month period, a return that researchers at Symantec Security Response called “a decent earning from what amounts to basic programming skills.”

The W32.Xpaj.B virus kept a low profile, avoiding high-risk neighborhoods such as the .gov, .mil and .int domains, but it caught the attention of researchers because it apparently was designed to value security over functionality.

“Whoever wrote it made sacrifices in the design,” said Kevin Haley, a Symantec Security Response director. The virus evolved over time so that it became much more difficult for a virus scanner to determine if a file is infected. But this extra care also meant that the malicious code is not always executed. “They decided it was more important to be secure” than to have the widest possible distribution.

Related story:

Fraud with a personal touch: Rogue antivirus providers add live support

The researchers did a detailed analysis of the virus to see just what it was up to, in the process uncovering command and control servers with files and applications that detailed a common online advertising fraud scheme. The results were published in a white paper.

W32.Xpaj.B was discovered in October 2009 and its activities peaked early this year, fading sharply since March. “They’re done at this point,” Haley said. But the operators managed to pull in a tidy sum, and Haley said he would not be surprised to see the virus turn up elsewhere.

The virus that infected end-user computers was the only sophisticated piece of the fraud operation, Haley said. The rest of the operation was a complex but common scheme to hijack search queries from the victim computer, redirecting them to a fake search engine and delivering ads to the victim for which the scammer is paid.

The complexity of online advertising lends itself to fraud, the report says. An advertiser who places a seller’s ads gets paid for number of times a banner is displayed and more if the user clicks on it. For advertising on search engines, sellers “bid” on chances to advertise on a particular search term. In this case, the advertisers and the ads were genuine and they were being scammed when the end user was inappropriately directed to the sites.

The back-end click-jacking operation was not that sophisticated, Haley said, but it was well protected by the stealthy virus that delivered the malicious code. “We don’t think whoever wrote the file infector were the people who ran the back end,” he said. “Mostly likely they hired somebody to write it for them.”

Files in the command and control servers showed that from Sept. 27, 2010, to June 27, 2011, the operation averaged 241,717 searches a day, peaking at about 430,000 in January. The average number of clicks generated per day was 31,177, but it decreased over that period. Earnings on the hijacked searches ranged from a high of about $450 a day to a low of $43, averaging $169 a day for the nine months.

Over that nine months, the scammers made $46,404, which works out to about $62,000 a year. Not a take that would make you rich quick, but it is tax free and required little effort.

Servers were located in several countries, but the location of the criminals behind it could not be determined directly, Haley said. There was a clue, however, in the fact that the virus did not infect computers in Uzbekistan, Belarus, Kazakhstan, Kyrgyzstan, Russia, Ukraine or Tatar areas. Researchers speculate that the bad guys might have wanted to avoid scrutiny in their own backyard.


About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected