Microsoft and Symantec bust US$1bn a year click fraud ring

7 Feb 2013

Microsoft and Symantec have taken down the command and control servers used by a cyber fraud ring that netted criminals stg£700,000 (US$1bn) a year via a threat called Trojan.Bamital.

Click fraud – a major component of the online criminal world – works by redirecting end users to ads on other sites they didn’t intend to visit.

The automated attack – which uses computers without their owners’ knowledge – generates traffic on ads and websites with the intention of getting paid by the ad networks.

Bamital was also responsible for redirecting infected computers to websites peddling malware under the guide of legitimate software.

“Once installed on your computer Bamital prevents web traffic from operating normally,” explained Norton internet safety adviser Marian Merritt.

“Instead, if you conduct a web search and try to click on the resulting links you are taken to fake websites set up by the crooks.”

How Symantec and Microsoft took down Bamital

Merritt explained how takedowns of click fraud rings by security software players work. She said: “First, security companies like Symantec notice a particular form of malicious software in circulation. They create protection files, called definitions, to prevent their customers from getting infected.

“Then, they share that information with the rest of the security industry. In special circumstances, the malware operates at a significant level, infecting thousands, possibly millions of computers anywhere in the world. Money is lost or computer performance is impacted. People begin to notice their computer isn’t working properly or they are blocked from visiting intended websites. Law enforcement may get involved at any stage in this process.

“We’ve previously seen collaboration between security companies and law enforcement to stop cyber-criminals in their tracks. Often, the easiest approach is to determine the location of servers that are communicating with the malware and break the connection by redirecting that web traffic to law enforcement secured servers.”

In the case of Microsoft and Symantec, technicians working for both companies raided data centres in Virginia and New Jersey yesterday, accompanied by US federal marshals.

They seized control of one server in New Jersey and persuaded the operators of the Virginia data centre to take down a server at their parent company in the Netherlands.

The servers had been used to communicate with between 300,000 and 1m PCs infected with malware.

Online fraud image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years