Report outlines massive affiliate campaigns pushing pharmaceuticals, including counterfeit Tamiflu, making Russian hackers millions.
Researchers at security vendor Sophos’ Canadian-based research labs have released a report outlining how some Russian cybercriminals are making millions off the H1N1 flu by pushing counterfeit Tamiflu through well organized affiliate programs.
The cybercriminals have created an affiliate network to make it more difficult to track them down by distributing responsibility for different spam tasks while increasing advertising space to gain visibility and more potential victims. It’s been an evolving process and today there are literally hundreds of malicious affiliate networks touting everything from phony dating websites, porn and pharmaceuticals such as Tamiflu.
Rather than direct spam campaigns that flood inboxes, the cybercriminals use Web marketing campaigns and drive potential victims to partner affiliate websites using a mixture of spam, search engine results (search engine optimization), blogs and forum posts, the report finds. Each affiliate gets a small cut but most of the profits go to cybercriminal gangs in Russia.
Many organize expensive parties for their members, send generous gifts for holidays, run lotteries where a top producer wins a luxury car, and the list goes on. In some cases, the war between different partnerkas turns ugly, where one portal may get DDoS’ed by a competing gang.
Members of the affiliate network learn how to mine Google Trends data for popular search terms, generate content and use appropriate linking to trick search engines into giving the malicious sites a higher slot in search results. The results are affiliate websites that have potential to get more than 10,000 page views a day, generating hundreds of thousands of dollars a year.
The good news says Sophos’ Dmitry Samosseiko is that security researchers are gaining a better understanding of the affiliate networks and working closely with law enforcement to get rogue networks shut down.
Billing and hosting companies are becoming more responsive to abuse reports and do stop providing support to rogue businesses. The most dangerous sides of the affiliate business such as scareware are being forced to close or go underground, which impacts their operational costs.
Let’s hope this is true. Unfortunately the cat and mouse game continues. I’m sure many cybercriminals out there are working on the next trick to gain visibility and slurp up more cash from the victim pool. As Sophos security evangelist Graham Cluley puts it, the affiliate sites have potential to snowball into other illegal activities including selling victim data to other hackers, spreading malware and rogue antivirus – basically spinning of Web of cybercriminal activity around the victims that buy into the phony pharmaceutical websites and other rogue Web pages.