How a click-jacking virus pays off for ad scammers

A stealthy virus used by an advertising click-fraud network generated more than $40,000 over a nine-month period, a return that researchers at Symantec Security Response called “a decent earning from what amounts to basic programming skills.”

The W32.Xpaj.B virus kept a low profile, avoiding high-risk neighborhoods such as the .gov, .mil and .int domains, but it caught the attention of researchers because it apparently was designed to value security over functionality.

“Whoever wrote it made sacrifices in the design,” said Kevin Haley, a Symantec Security Response director. The virus evolved over time so that it became much more difficult for a virus scanner to determine if a file is infected. But this extra care also meant that the malicious code is not always executed. “They decided it was more important to be secure” than to have the widest possible distribution.

Related story:

Fraud with a personal touch: Rogue antivirus providers add live support

The researchers did a detailed analysis of the virus to see just what it was up to, in the process uncovering command and control servers with files and applications that detailed a common online advertising fraud scheme. The results were published in a white paper.

W32.Xpaj.B was discovered in October 2009 and its activities peaked early this year, fading sharply since March. “They’re done at this point,” Haley said. But the operators managed to pull in a tidy sum, and Haley said he would not be surprised to see the virus turn up elsewhere.

The virus that infected end-user computers was the only sophisticated piece of the fraud operation, Haley said. The rest of the operation was a complex but common scheme to hijack search queries from the victim computer, redirecting them to a fake search engine and delivering ads to the victim for which the scammer is paid.

The complexity of online advertising lends itself to fraud, the report says. An advertiser who places a seller’s ads gets paid for number of times a banner is displayed and more if the user clicks on it. For advertising on search engines, sellers “bid” on chances to advertise on a particular search term. In this case, the advertisers and the ads were genuine and they were being scammed when the end user was inappropriately directed to the sites.

The back-end click-jacking operation was not that sophisticated, Haley said, but it was well protected by the stealthy virus that delivered the malicious code. “We don’t think whoever wrote the file infector were the people who ran the back end,” he said. “Mostly likely they hired somebody to write it for them.”

Files in the command and control servers showed that from Sept. 27, 2010, to June 27, 2011, the operation averaged 241,717 searches a day, peaking at about 430,000 in January. The average number of clicks generated per day was 31,177, but it decreased over that period. Earnings on the hijacked searches ranged from a high of about $450 a day to a low of $43, averaging $169 a day for the nine months.

Over that nine months, the scammers made $46,404, which works out to about $62,000 a year. Not a take that would make you rich quick, but it is tax free and required little effort.

Servers were located in several countries, but the location of the criminals behind it could not be determined directly, Haley said. There was a clue, however, in the fact that the virus did not infect computers in Uzbekistan, Belarus, Kazakhstan, Kyrgyzstan, Russia, Ukraine or Tatar areas. Researchers speculate that the bad guys might have wanted to avoid scrutiny in their own backyard.


About the Author

William Jackson is a Maryland-based freelance writer.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected