Bahama botnet, a network of thousands compromised computer, is using Google and other search engines including Yahoo and Bing to counterfeit web pages for advertising purposes.
The botnet is spreading through malware distributed through antivirus scams. Compromised PCs are having fake DNS replies for Google.com and other search engine domains, an attack known as “DNS poisoning”. As a result, affected users are visiting a fake page that looks exactly Google.com located in Canada. The results are probably gathered from real google.com search engine, but they are modified before displayed to user. Evidence shows that the returned URLs are masked CPC (cost-per-click) addresses, redirecting the user to a series of ad networks before viewing the original page.
“The idea is to make money through click fraud,” said Matt Graham, a risk analyst at Click Forensics.
“When those people actually do searches, that’s when these guys can display these ads hidden in the organic search results.”
As a side effect, due to DNS poisoning, Google’s sponsored links are not changed or redirected to smaller ad networks . Every click on the sponsored link never goes through Google, causing Google to lose revenue. A Google spokeswoman stated “We are investigating and monitoring this issue just as we investigate and monitor many other botnets and schemes every day”.
An example of the procedure is shown at this video, using firefox with an extension plugin to track the outgoing connections. As demostrated, scam websites have a similar look as real Google. However, the connection IP address is not part of the google.com legitimate IP pool.
