Botnet hijacks search results to siphon Google AdSense for Search revenue
The click-fraud botnet Redirector.Paco has infected nearly 1 million computers worldwide since 2014, according to researchers.
A click-fraud bot dubbed Redirector.Paco attacks when users perform searches from Google, Bing and Yahoo. The malware replaces the legitimate results with those from a Google custom search that includes AdSense for Search ads.
Bitdefender, a security firm based in Romania, released a blog post about the botnet on Monday stating Paco has been active since mid-September 2014 and has infected more than 900,000 IPs globally, with infection rates heaviest in India. However, the malware has hit the US, Brazil, Italy, Pakistan, Algeria and Malaysia hard as well.
The paper’s authors, Bitdefender antimalware researchers Cristina Vatamanu, Răzvan Benchea and Alexandru Maximciuc, explain, “The malware’s objective is to redirect all traffic performed when using a popular search engine (such as Google, Yahoo or Bing) and replace the results with others obtained from a Google custom search. The goal is to help cyber-criminals earn money from the AdSense program.”
When the Redirector.Paco malware infects a computer — typically after a user downloads and installs an infected version of a software program such as Connectify, KMSPico, Stardock Start8 or YouTube Downloader — it adds two files benignly named “Adobe Flash Scheduler” and “Adobe Flash Update,” in order to activate the malware each time the PC restarts. It then re-routes web traffic through a local proxy server by generating root certificates for the search engines that will be accepted by the user’s browser. When the user queries a search engine, the malware serves up custom search pages with AdSense for Search ads. The perpetrators earn a portion of the cost-per-click from the AdSense affiliate program each time a user clicks on one of the ads.
There are some indicators that the search results are not authentic, say the researchers. For example, messages like “Waiting for proxy tunnel” or “Downloading proxy script” might display in the browser’s status. The page also takes abnormally long to load and the Google logo with yellow “o” characters above the page numbers at the bottom of the page does not show.
In February, Google announced it had taken action to filter traffic from three ad fraud botnets — Bedep, Beetal and Changthangi — that have infected more than 500,000 machines.