Network News

X My Profile
View More Activity

Robotraff: A Hacker's Go-To For Clicks

Anyone who doubts that Internet click fraud has become a big money maker should take a look at a Russian Web site called Robotraff.com, which bills itself as "the first stock exchange of Web traffic."

Set up a free account at Robotraff and you're ready to buy or sell Web traffic. Got 30,000 hacked personal computers under your thumb? Super! Now you can use those systems to generate a steady income just by pointing them at Web sites requested by a buyer.

Or maybe you're just getting started and you can't be bothered to build your own army of hacked PCs the old-fashioned way? No problem! Now you can set up a Web site that tries to exploit Web browser or browser plug-in vulnerabilities and simply buy all the traffic you need.

So let's have a look at the transactions Robotraff is handling today: User #704 is selling "search mix" traffic from Google.com for $13 per 1,000 hits. Not close to making your quarterly traffic stats or ad traffic quotas? No sweat: $130 buys you 10,000 hits that look like they came from Google searches.

The details page for each item on the exchange shows the traffic speed, total traffic available, price, and a breakdown by country and Web browser. Different sellers have specialties, such as non-IE traffic and traffic exclusively from specific countries.

The terms and services that all Robotraff users must agree to in order to use the site's services plainly state (well, in poorly translated English) that buying traffic to send people to malicious Web sites is not allowed, nor is redirecting people to porn sites ... or maybe not. I couldn't help but chuckle when I read the porno ban, because directly to the left of that notice, under a section labeled "Top 5 Wanted Traffic," is a buyer offering $5.20 per 1,000 visits destined for a mix of Russia-based adult Web sites.

Mike LaPilla, director of malicious code operations for iDefense, a unit of Verisign, said those disclaimers are common on all kinds of sites that facilitate cyber crime.

"It's to dart responsibility against breaking any laws," LaPilla said. "If someone ever reported [Robotraff to the authorities], they could simply say a user broke their terms of service, and then delete them to avoid any legal trouble."

LaPilla said the brains behind Robotraff is a guy who goes by the online nickname "Bryaks," and that this individual is thought to be one of the original founders of a similar distribution network called "IFramecash" (pronounced eye-frame). IFramecash pays "affiliates" to drive traffic to their network of sites, which launch a volley of Web browser exploits in an attempt to install malicious software on the visitor's machine. IFramecash's download sites were at one time hosted off of the same Web space as the infamous Russian Business Network, and the site's operators are thought to have close ties to RBN.

Lawrence Baldwin, founder of Atlanta-based security company myNetWatchman.com, said that in the process of monitoring hacker networks he has witnessed cyber crooks logging into their accounts at Robotraff to set up deals to distribute the "Zeus" Trojan, a nasty bugger most often used to download malware designed to swipe passwords and other data from infected PCs.

"They call it a traffic distribution system, but it's more like a 'pay-per-compromise' network," Baldwin said.

While many Robotraff customers may be using the exchange to help distribute their malicious software, the exchange also would be a great way to conduct click fraud, an expensive and confounding plague in the Internet advertising space. According to the most recent stats from Click Forensics, more than 16 percent of all online ad clicks in the fourth quarter of 2007 were fraudulent.

A request for comment has been sent to multiple addresses associated with Robotraff.com. This post will be updated if they respond.

Update, May 13, 3:16 p.m. ET: I heard back from an "Alex" at Robotraff, who took rather strong exception to my source's characterization of Robotraff as a pay-per-compromise network. Their initial response was written in broken English, so I asked them to respond in their native tongue and asked a local Russian expert to translate the messages for me (many thanks to Security Fix reader Gary Goldberg for the human translation).

I will try to summarize Robotraff's main points here and then include their entire response after the jump. Alex said Robotraff no longer allows customers to sell Web traffic that uses iFrames, which can be used to seamlessly (and invisibly) load content from another page within the context of the page the visitor is viewing (iframes have many legitimate uses, but they have been a favorite tool of malware writers, who use them to quietly load browser exploits when visitors browse to a malicious or hacked Web site).

Alex said Robotraff also checks all traffic orders for viruses. He added that the marketplace no longer allows traffic for adult Web sites, and that any orders for adult site traffic visible on Robotraff.com were created prior to the exchange's new rules outlawing such trades. As soon as those trades are fulfilled, Alex said, no more adult site traffic trades will be allowed.

More, verbatim responses from Robotraff, after the jump.

"1. We don't sell iFrame traffic. We have a special test to check for iFrame (I will also talk about iFrame and other topics when we discuss this article). We have official relations with one of the best producers of antivirus software, that is, we use its antivirus solution (http://info.drweb.com/)

2. We are the only ones who check and order for viruses (the resource is indicated in the order) automatically during the entire time it is filled. The RoboProof service is free http://www.robotraff.com/info.html?page=service_roboproof.

3. With the designated proble - viruses, we're not the only ones fighting them, but other monsters such as Google http://analitics.robotraff.com/blog_eng/?. See the article All your IFrames point to us. Compare, we - a small market and enormous Google, but we are doing what they don't!

4. Even in the article you talk about the "padding" which infected machines make. This is impossible with us since there is a quality check. It will immediately show a bad result and the traffic stream will be removed - automatically. In addition, there are photos of keywords ([in English]), this will be an infected machine.

5. In the operation of the market typical calculations are used taken from financial markets, for example IRS - [English], BIR - [English]. The main desire of the market is to create a more civilized economic market for Internet advertising. Right now in the best case such as Google an auction type of trading is offered, who gave more got [more] (the possibilities of offers were not considered). But in the case of the market the price itself will be raised or lowered depending on the demand. This provides an opportunity to gain an advantage not for the service itself but the industry as a whole: both the buyer of the advertisement and the seller. But what's more new players are coming into the market - investors who do not buy or sell traffic but invest in the most successful sellers or brokers. I do not even raise the serious issue of a/the guarantee between the seller and the buyer which is impossible without the Market.

Look now what it would be to use Google Adwords effectively (yes, and any other forms of advertising networks), one would need to be a specialist in it. And there are such specialists, but they do not have opportunity to offer their services via Google (similar services). What's more, if they find a customer, how is the customer to monitor their work? Will the seller really be able to provide access to the account? Here's the market and it is also an area in which the work of each seller, what was demanded, and what the market price of these services is visible.

Note that the Market does not promote the sex industry, moreover I personally consider it damaging since it is directed at fooling search systems and creating search garbage.

Generally speaking, look at what we have written in the article and what I have cited and given links for confirmation. What do you think, if our goals were swindling (and, moreover, criminal, like the distribution of malware), would we have STARTED to do all this? Would we have engaged in correspondence?

Of course, all our checks and services were not created in a day, this is a complex path of trial and error. And during our work we have processed more than 10,000 orders (100,000,000 traffics). Possibly some were bitten somewhere, something wasn't clean, but these are all trifles in comparison on the whole with what we are doing that is useful.

The article also talks about Adult - we have decided to reject this type of traffic because of the frequent problems the buyers have. Yes, in the lists of the goods for sale there are two Adult streams in the market only because these orders were created on them, were created before the new rules were adopted. But we will keep our word - as soon as the orders are filled these streams will be removed.

P. S. We have accumulated a great deal of experience in teh area of fighting malicious resource and attempts to deceive systems. Our experience could have been useful to write your subsequent articles. I am personally ready to actually write a high-quality article about problem areas."

By Brian Krebs  |  May 7, 2008; 6:22 PM ET
Categories:  Fraud , Web Fraud 2.0  | Tags: zeus  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft Releases Windows XP Service Pack 3
Next: Mozilla Distributes Virus-Infected Language Pack

Comments

Shame someone doesn't launch a DOS attack on this site.

Posted by: Garak | May 8, 2008 8:28 AM | Report abuse

Click Fraud, eh? So this is a somewhat (no, downright) dismaying aspect of the internet advertising industry that Google is pre-eminent in? I say, big deal! Looks like a bunch of froth to me, sour froth, too.

Posted by: Pete from Arlington | May 8, 2008 2:44 PM | Report abuse

Brian--


Your posts are cited on the site stopbadware.org. Stopbadware's partnership with Google has resulted in the Google Desktop Engine linking to stopbadware when questionable sites are opened in a browser.

Today, I attempted to use Post's Arts & Living-> Crosswords -> Start the Daily Crossword link that takes me to the WashPost's Sunday Crossword Puzzle. When I tried to launch the Sunday puzzle, I was redirected to the following link:

http://127.0.0.1:4664/safeweb?url=http%3A%2F%2Fwww%2Esundaycrosswords%2Ecom%2Fccpuz%2FWPMRCC%2Ephp&type=malware&referral=http%3A%2F%2Fcrosswords%2Ewashingtonpost%2Ecom%2Fwp%2Dsrv%2Fstyle%2Fcrosswords%2Fdaily%2Ffront%2Ehtm&s=GFBO5nOf8mb4g_9ibUhO9VfpAtM


Summary: I know that the Post gets its Sunday puzzle from http://www.sundaycrosswords.com

but I thought that you might be interested in knowing that WashPost is linking to a site that a major desktop tool is reporting as mal/suspicious.


best--

steve gardner
sbgardne@verizon.net

Posted by: steve g | May 21, 2008 7:30 PM | Report abuse

I love their motto. 'Robotraff.com is a name to which trust.' You'd think they could hire somebody who actually spoke English. They never get it.

Posted by: Rick | May 26, 2008 7:47 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company