Ukrainian cybercriminals raked in $10K/day, Finjan reports

Ten thousand eight hundred dollars per day for cybercrime jockeys? That's what security vendor Finjan says it witnessed during its 16-day infiltration of a cybercrime operation, based in the Ukraine, that involved selling bogus anti-virus software.

"If someone gets over $10,000 per day in cybercrime, it explains why they want to do a lot of it," says Yuval Ben-Itzak, Finjan's CTO.

The crime operation broke into Web sites and exploited Internet search engines to redirect 1.8 million Web users to a fake antivirus software site during a 16-day period just a few weeks ago, Ben-Itzak says. The group's server was cut off from the Internet after Finjan reported it to ISPs, he says.

In a report released Monday, Finjan describes how it all worked.

"The goal of the criminals was to sell rogue antispyware, antivirus products," Ben-Itzak says. Exploitation of search-engine optimization helped the operation drive traffic to the bogus antivirus site, he says.

The cybercrime group started by compromising hundreds of pages on legitimate Web sites by injecting a text page with keywords. Ben-Itzak declined to name the affected Web sites, but they were mainly news and shopping sites.

"The cybercriminals add a custom page -- an HTML page -- including a lot of keywords with typos, like 'Obbama,'" Ben-Itzak says. Other keywords include "gogle," "mobile fone" and "liscense" as well as trendy keywords taken from the Google Trends system, the Finjan report states.

"Obbama" is a common misspelling of President Obama's name used in Web searches, and once the manipulated Web pages were picked up and indexed in search engines such as Google, people searching for the word "Obbama" would end up on the compromised Web sites.

The compromised Web pages also contained script that enabled redirection of the Web site's visitors through a number of hops to the page where the fake antivirus software was hawked, the report notes.

Obfuscated code hid the redirect to the group's traffic-management server, which then directed the user's browser to the rogue software site. Visitors were informed if they had a flashing message on their computer, it was infected and they needed antivirus software to eliminate it.

Some people did purchase $20 rogue antivirus software from the site with credit cards, and the cybercrime group that successfully directed traffic to it collected $172,000 over the 16-day period, or $10,800 per day.

"Based on a normal work week, this would put our criminals in the $2 million-plus annual income bracket," Finjan states in its report.

Ben-Itzak says about 70% of the traffic appears to have originated in the United States.

Join the newsletter!

Error: Please check your email address.

More about FinjanGoogle

Show Comments

Market Place

[]