Russian cybergangs make the Web a dangerous place

Affiliate networks use a bag of clever tricks to promote fake drugs, antivirus programs and other goods

Russian cybergangs have established a robust system for promoting Web sites that sell fake antivirus software, pharmaceuticals and counterfeit luxury products, according to a new report from security vendor Sophos.

To sell bogus goods, many of those sites rely on hundreds of "affiliate networks," which are essentially contractors that find ways to direct Web users to the bad sites, wrote Dmitry Samosseiko, a Sophos analyst.

He made a presentation this week at the Virus Bulletin security conference in Geneva.

Affiliate networks have been around for a long time and there are many legitimate ones. But "the majority of the most powerful and controversial affiliate networks are based in Russia," Samosseiko wrote.

In Russian, the networks are known as "partnerka" and focus exclusively on promoting the dark corners of the Web.

Essentially, someone who wants to become part of an affiliate signs up on a password-protected forum, most of which now are low profile and require an invitation. Once vetted, the new contractor is given a set of Web sites to promote.

One way to do so is to infect computers with malware either through spam or other means. The malware can tamper with a computer's DNS (Domain Name Server) settings in order to direct the user to a fake Google search engine site, which meshes real search results with ones that lead to, for example, a site selling fake antivirus software.

Another trick is called black hat SEO (search engine optimization). It involves creating a Web site, then using a variety of tricks mostly forbidden by search engines to get those Web sites high in search rankings.

Methods include incorporating the most recently used search terms, often listed by search engines such as Google's Trends, into a Web site.

These affiliated "doorway" Web sites will redirect users to a dodgy Web page. A referring site can earn a commission if, for example, a person buys something.

The trick for someone selling a product is to "choose a partnerka with a high conversion rate to ensure that the generated revenue will be greater than the cost of traffic itself," Samosseiko wrote.

It's an insidious, yet profitable, scheme. Sophos was able to get a peek at one of the more popular partnerka called RefreshStats.

That Web site enlists partners to create Web sites that implore people to download a codec, or a piece of software required to play video.

Inevitably, the codec is a fake, and the PC is usually infected with fake antivirus software.

Samosseiko wrote that Sophos was able to see an administrator interface for RefreshStats that showed how much different contractors were making from the scheme. One particular contractor earned US$6,456 in August 2008.

Another affiliate, called Topsale, offers up to a $25 commission for every sale of a fake antivirus product.

Samosseiko writes in his conclusion that there are hopeful signs that law enforcement and researchers can take down the rogue affiliates. But by all measures it doesn't seem that the industry is slowing down.

A recent report from security vendor Panda Security said that as many as 35 million computers worldwide may be infected with fake antivirus programs each month.

The company has collected an astounding 200,000 samples of different rogue antivirus products, about 80 percent of which are copies or are slight alterations of 10 basic families of fake products, said Luis Corrons, director of PandaLabs.

"We were seeing more and more users were being infected," Corrons said.

Join the CSO newsletter!

Error: Please check your email address.

Tags sophoscyber criminalsrussiamalwarecybercrime

More about GenevaGooglePandaPanda SecuritySophos

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place