Wednesday, April 21, 2010

Scam Constellations and Spam Link Architectures

Scams come in all shapes and sizes, even on the Internet. One thing that I've noticed while doing research for RescueTheWeb is that the scammers are persistent in inventing new architectures that meet their needs. This article is a brief survey of the scamming link architectures I've found.

When I talk about scamming architecture I'm referring to the link structure that scammers use to 1.) raise their Google Page Rank and 2.) draw you to their scam websites.

1. The Point Source Scam Site:In this architecture there is a single scam site that doesn't necessarily use hacking of other websites to create links to their scam site. The site is all alone and probably has low Google Page Ranking and doesn't show up too high is search results. There are probably not many of these types of scam sites since they would be hard to find and would have a low number of visitors.

2. The 2-tier Scam Architecture:
In this architecture there is a single scam site that uses hacking to disperse links around the Internet to point to their single scam site. This technique raises their Google Page Rank. Many times the website breaches are specially crafted to only be visible to Google/Yahoo!/Bing so that their page rank is raised without raising suspicion from the rightful website owner.

3. The 3-tier Scam Architecture:
In this architecture there a single scam site that uses two layers of hacked websites to cleverly raise the page rank and ensure they throw a large net to catch possible victims. This architecture is unique in that it uses a combination of redirects and links to bring the user to the goal scam site.

4. Another 3-tier Scam Architecture:
The problem with the previous architecture, from the scammers perspective, is that it requires the user to click on that first link. Typically, the link-based infections (that actually show links to the visitors) are a little sloppy and probably don't have a high click-through rate. To increase their click-through rate (which they appear to be watching based on how their URL's contain tracking parameters), the scammers have come up with scam search engines too. Typically they create faux-Google search engines where the scammer owns all the search results. This is very convenient for the scammer since they can direct the visitor anywhere they want.

To trick the visitors they use convenient keywords (bait) on the breached sites to pull in a high Google Page Rank, then when the visitor clicks on the Google link they are taken to the faux-Google (switch) which contains only links to scam businesses.

The transition from the real Google to the fake Google is nearly instant and probably not obvious to most users who will simply think it's a glitch and continue browsing.

To hide these fake Google's from direct access by search engine crawlers, and curious people, you can only view the fake Google results if you come at them from a link embedded in an infected website.

5. Scam Constellations:
As if this prior architecture wasn't good enough, the scammers wanted to make it robust to detection and shutdowns. Now scammers are creating constellations of scam sites that work together to direct visitors to their scam businesses. In the examples I've seen the names of the constellation scam sites are nearly identical with only one character changing between domain names. For example:,,, etc... One constellation had 24 nearly identical domain names within it.

These are the scam link architectures that I've recently seen on the Internet. There are probably many more. Please send me your observations, so we can add it to the RescueTheWeb analysis engine.

Friday, April 16, 2010

When Google isn't helping, just make your own...

Google vs. Googpillc
During our research of infected websites we ran into this interesting find. We found a website that looks nearly identical to Google, but it isn't Google.

This is an interesting twist to the typical approach of simply redirecting the user directly to questionable pharmacies. With the faux-Google approach the attackers are trying to regain the victim's trust by presenting them with a Google-like appearance and even offering them a list of (fraudulent) pharmacies to visit.

The faux-Google is complete with advertisements on the right side of the screen. Just think, the miscreants might be selling advertising positions to their cohorts. Underground-AdWords.

Website Access
If you simply go to the website you will only see an 'under construction' warning and nothing will appear abnormal.

However, if you are brought to the website from another infected website then the faux-Google facade will appear.

Outbound Links
The number of websites that are presented to the visitor appear to be limited, they are reused in several times in the search results. The search results vary but the outbound links are limited.

Browsing Caution
As if there isn't enough reason for caution while browsing the Internet, this is just one more reason. Always be sure to keep an eye on the URL you are currently visiting, it might have jumped to another website without you knowing it.