Threat Research & Response Blog
It is clear that breaking search engine rules and exploiting functionality to drive traffic and monetize content is a lucrative and extremely viable business for unethical or so called "blackhat" search engine optimization (SEO). We have recently seen another method of driving traffic and monetizing content that doesn't involve directly serving malicious content via search engine results, but rather uses a modified version of an Internet advertising technique known as content locking.
According to information released in May by the Interactive Advertising Bureau (IAB), "Internet advertising revenues in the U.S. hit $7.3 billion for the first quarter of 2011, representing a 23 percent increase over the same period in 2010". The full IAB 2010 report contains more detailed information, suggesting that the most popular ad format for 2010, which represented 46% of $26 billion in revenue, came from search.
Content locking is an ad content delivery model that forces visitors to complete an action before they can access desired content. This model can be monetized with cost-per-action (CPA) offers that provide visitors with some form of incentive, such as a service or free content, for performing the required action. Most affiliate websites enable this feature by using content locking software or tools, which basically lock the content, and then communicate to an ad-content gateway in order to capture CPA offers.
Trojan:Win32/AdsLock.A is a newly discovered threat that was found exploiting this model, but instead of locking web content, it is designed to lock the affected user's computer screen. It communicates with a malicious content gateway, which serves unwanted and controversial or illegal images to the affected user. It then displays the following threatening message, implying that the user has been engaged in an illegal activity:
Constructor:Win32/AdsLock.A is a detection for a malicious tool that generates Trojan:Win32/AdsLock.A, which we have observed being distributed and promoted as an SEO tool. The constructor includes limited features, and seems to be in the early stages of development. However, it's worth noting that the idea presents an opportunity to maximize monetization from infections.
- Methusela Cebrian Ferrer