Kmeth Worm Goes After High CPC: Mesothelioma
Another day, another worm- this one we dubbed w32.Kmeth Worm.
People talk about invalid clicks versus click fraud- in this case it is a little unclear- you be the judge.
As an advertiser what would you call this? No forced click, but the traffic source- not what I call qualified.
One aspect I noted the author(s) of this scheme was using a ” traffic cleaner service”- I presume to filter out known high fraud domains to keep foot print low. Pretty sneaky.
The author goes a step further and displays some level of sophistication in the scenario by realizing that a fast propagating worm will not be country sensitive and thus bring traffic that will likely trigger fraud filters. This is worked around by using the TrafficCleaner service, a simple IP filtering service called through an iframe.
When a visitor enters the website, the IFrame is loaded together. The IP address will be checked according to the person’s “Filter settings”. If the visitor is “allowed”, nothing will be happen and the visitor can browse the intended site as normal- in this case a page with some information to trigger the high paying keywords and advertisements and search boxes all designed to have the user click-thru.
If, instead, the visitor is from a “Banned” country, he/she will be “filtered out” from the page and will be forwarded to the alternative URL the user has set in the “Filter settings”. In either case a cookie will be placed on the visitors’ computer, so no further checking will be necessary for that visitor if he returns or visits other pages in which the user also pasted the code, of course, until the cookie is deleted or has expired.
While this service has legitimate uses, for example a company who can only ship to the United States or does not wish to ship to certain countries, in this case the code is used to block certain visitors. Thus in this case the code is more than likely used to filter out traffic from known high fraud regions so the KMeth’s worm delivery mechanism does not raise suspicion. By looking at the IP address of visitors it is possible to determine the country of origin and keep the “footprint” low.
The target word of the plan- Mesothelioma which is a rare form of cancer commonly caused by prolonged exposure to asbestos and litigation. The financial spends on these keywords are high thus making this an “elephant word” or word with a high payout- a prime target for malware writers to exploit. Bids can range from $4.00 to $13.00 Per Click.
Ouch. No wonder lawyers charge so much. Full Entry at Greynets Blog.
ADDENDUM: More at Slashdot, but most don’t totally get it. The best way to classify this is “syndication fraud”, as I noted in the blog summary at SPG- it was the delivery mechanism, not forced clicks at the core of the issue.
