Criminal networks are making gangs millions of pounds a year through browser hijacker Trojans which redirect users to sponsored advertising, according to research from security vendor Trend Micro.
In a blog post, the vendor explained that a criminal gang could generate several million pounds a year in profits with a network of around 150,000 bots just by hijacking search results.
These botnets need constant feeding, as computers may get removed from it. In order to make up for these losses, Trend said that herders are "constantly infecting" new systems - tens of thousands of machines every day, in fact.
In the case of one botnet, more than two million computers have been infected this year, and this is likely to double by the winter.
The botnet criminal is a patient one, according to Trend, which said that, rather than make a quick buck, they prefer to wait until the botnet is fully formed and is able to harvest the most cash from victims.
"Most cyber crime gangs are not interested in just making a quick profit or in retiring early," advanced threats researcher Feike Hacquebord wrote in the blog post.
"They treat cyber crime as a serious and lucrative business venture, and are happy to patiently expand their criminal networks while trying to hide their malicious activities from the rest of the world. By victimising many users, it can earn millions of dollars in profit annually."
Typically, bot networks are made up of more than 100 servers spread across the world. Their bosses are cash rich and able to quickly scale up and take advantage of any criminal activities that come their way. Because of this, Trend said, the "collateral damage that their activities cause is huge".
Browser hijacker Trojans redirect victims away from the sites they want to visit. By doing this they are encouraged to visit sponsored links, for which the gangs get cash.
"Browser hijackers are popular because search result clicks convert well. It is a lucrative and easy way to capitalise on the success of legitimate search engines," the firm said.
"With a network of 150,000 bots, gangs can make several millions of US dollars every year from hijacking search results alone."
Typically, targeted attacks relate to words or phrases relating to the finance industry, such as 'loans', and in one case a botnet was hijacking over one million clicks a day.
These clicks have to be monetised, though, and Trend said that they would be sold via a broker to legitimate firms, such as Yahoo, Google or Ask, which can cause some confusion.
"For example, we have seen that Yahoo search result clicks were resold back to Yahoo via an intermediate traffic broker. In another example, stolen Google clicks were resold to LookSmart," the company said.
This brokering is a sophisticated business in itself, and Trend singled out one in Russia, called Onwa Ltd, that "must have full knowledge of the fraudulent nature of the traffic it resells".
Onwa allegedly has its own infrastructure of spoofed Google sites which are used in hijacking schemes.
Other more scrupulous brokers may be fooled into accepting clicks from botnets, as the criminals build up a network of fake accounts, businesses and web sites that purport to prove their authenticity.
Trend warned that botnet herders will only get more sophisticated and add more tools to their trade in the future.
Return to security news headlines
View Security News Archive