Cybercrime does not rest; hackers and malware authors are always looking for new ways to make money using what they know best: programming and the Internet. One of the most recent innovations to come through was a new iFrame Shop made for fraudsters by fraudsters.
Web traffic (and iFrame traffic)-selling services already exist on the web and are somewhat of a gray area when it comes to increasing the flow of web traffic to specific URLs. The use of iFrames and hidden iFrames is also part of how these types of services operate, including the fact that they track and collect visitor IP addresses, OS type, screen resolution, and ISP provider names without the user’s knowledge or permission.
One of the popular offering from web traffic services is the way they can target specific countries, moving visitors from a specific location to the traffic buyer’s URL. Beginning to sound better and better by the moment, isn’t it? Fraudsters are big on targeting specific countries whether it be for different fraud schemes or for malware infections and financial fraud.
What are iFrames?
iFrames are HTML elements that can contain content, be it HTML or Javascript, from another web page. When used legally, iFrames are used to highlight important pages on a website or can be sold as advertising space. They can be seen on almost every web page you visit. For example, the RSA website uses iFrames linking to other RSA web pages as seen below:
However, the fact that iFrames can be hidden and can run malicious code, makes them quite popular in fraudster circles for infecting victims’ machines with Trojans and other forms of malware.
How can cybercriminals leverage iFrames to spread malicious content? They do it in three ways:
- They create websites and direct their botnets to the site’s URL, thus creating fake and illegal traffic on that site, making it appear considerable. They then attempt to monetize it with click-fraud.
- They compromise pages in existing websites, inject iFrame content into them, and send web visitors to that location, on top of preying on the unwitting visitors of that website.
- They hijack an entire website and use its pages to host their own content, then send users to that seemingly legitimate website.
By being able to control the iFrames and their content, cybercriminals direct the flow of traffic sent to them from botnets or optimize search engine results in an illegal way to have web users’ search queries bring up poisoned results (SEO poisoning).
Placing unauthorized iFrames on high traffic legitimate websites is creating “Junk Traffic” and click fraud – both are illegal. iFrames can be set to invisible – set up with 0 height and width specifications, thus not being visually displayed on the website. Considering the fact that an iFrame can contain the drive-by-download to a Trojan infection, the visitor will not even know it has occurred.
New Underground Online iFrame Shop
A new store opened to service cybercriminals came from an underground operator who apparently wished to provide his fraudster-buyers with an easy online platform through which they could trade buy or sell web traffic. Evidently, when used in the context of fraud, one can expect to see junk traffic leading to exploit kit infections, Trojan drive-by download sites, and live phishing pages, to name a few.
This is one of the only instances of such a shop being offered to members of the underground, although it cannot be considered surprising. It is evident fraudsters have been using these types of junk traffic services already, although the purportedly ‘legal’ services offered online declare they only work with ‘clean’ traffic, allegedly ensuring no malware, pop-ups and malicious content is related to their services.
This service, in a similar way to bulletproof hosting services, eliminates the need for fraudsters to hide their true intentions. It is clear up front that the purpose is going to be illegal and sure enough, the service operator will not ask too many questions about the malicious URLs and even actively partake in the operation.
The new shop’s main purchase panel allows one to view the types of options offered by the store: buying, selling, statistics and the average price for 1,000 visitors sent to the buyer’s page. The more targeted choices the buyer can make is to pick out a country from the drop menu or purchase a “Countries pack,” selecting a few countries into a bundle deal. Depending on the country, the price for each 1,000 visitors changes and can range from $8.00 USD to $18.00 USD.
Underground iFrame Shop – Main Traffic Purchase Page ![]( "Screen1")
If one chooses to sell iFrame traffic (or direct traffic to a specified URL), a “Sell Traffic” screen provides the interface for communicating the details to the service’s operator.
Underground iFrame Shop – Sell Traffic Page
In yet another page, traffic sellers are invited to sell direct traffic through the websites they control by using the service’s own domain for redirections. What they would need to do is send users from their own websites to that domain (thus creating more traffic for the operators’ URL and get paid per 1K visitor batches).
A member wishing to sell iFrame traffic can access the dedicated page set up and read instructions on the required process. Essentially, the traffic seller will be injecting the service operator’s URL into iFrames he already controls. That way, traffic will be sent to the service’s operator’s URL and the seller will receive payment.
Underground iFrame Shop – Sell Direct Traffic Set-Up
