Cybercriminals infect almost 1 million computers with malware that hijacks search results, even when they're served over encrypted HTTPS connections.
Over the past two years, a group of cybercriminals has infected almost 1 million computers with malware that hijacks search results, even when they're served over encrypted HTTPS connections.
The click-fraud botnet earns its creators money through Google's AdSense for Search program, according to researchers from security firm Bitdefender. The affiliate program, intended for website owners, allows them to place a Google-powered custom search engine on their websites to generate revenue when users click on ads displayed in the search results.
Instead of doing that, this botnet's operators intercept Google, Bing, and Yahoo searches performed by users on their own computers and replace the legitimate results with those generated by their custom search engine. They do this using a malware program that Bitdefender products detect as Redirector.Paco.
Since mid-September 2014, Redirector.Paco has infected more than 900,000 computers worldwide, mainly from India, Malaysia, Greece, the U.S., Italy, Pakistan, Brazil, and Algeria, the Bitdefender researchers said in a blog post Monday.
The malware is included in modified installers for well-known programs, such as WinRAR, Connectify, YouTube Downloader, Stardock Start8, and KMSPico, which are distributed on the Internet. Once installed on a computer, Redirector.Paco modifies its Internet Settings to use a Web proxy server specified by the attackers in a PAC (Proxy auto-config) file.
There are two variants of the malware: one where the PAC file and proxy are hosted on a remote server and one where they are hosted on the local computer. In both cases, the malware installs a self-generated root certificate in the computer's certificate store in order to generate rogue certificates for Google, Yahoo, and Bing that would be accepted by the victim's browser.
Read more here: www.computerworld.com/article/3071007/security/an-https-hijacking-click-fraud-botnet-now-infects-almost-1m-computers.html