In a somewhat below-the-radar report, the anti-phishing working group (APWG) Q1 report is for the first time in its report showing a decrease in the number of phishing reports towards the end of the quarter.

In a startling (although expected) contrast – reports on crimeware, malware, Trojans and other malicious code (all delivered by Malweb!) is on the rise as the attack vector that uses Malweb is proving to be the most efficient ROI-wise.

Our view on this – obvious!. Phishing is a one-off that targets a single institution. It may be efficient for a short time, as these sites are being detected and brought down rather quickly. Malweb on the other hand is a long term investment. It brings in the ability to install more persistent rootkit/Trojan on the victim’s system, which would provide a more configurable platform for financial fraud than a phishing scam would.

The report is available at http://apwg.org/reports/apwg_report_Q1_2008.pdf.

This campaign marks a new wave of web attacks carried out for click fraud purposes against Yahoo!’s advertising service.

CSRT researchers have exposed a Web attack in which hundreds of hacked websites are being used in an unprecedented type of click fraud campaign. Visitors of hacked legitimate websites get redirected to a fraudulent website featuring Yahoo! Search Marketing links that charge per click. Unexpectedly, there were no malware or exploits involved in this attack. Hackers planted a well obfuscated script on the compromised websites. The script generates an iframe tag leading visitors to the same fraudulent website.

In an attempt to camouflage the redirection, the script spoofs the said website’s address making it look like the original legitimate website’s URL.

In order not to arouse the suspicion of Yahoo! Search Marketing, a cookie file is placed on the visitors' systems to prevent a specific user from being redirected more than once, and so guaranteeing a single click for each user.

We noticed that the fraudulent website in question has a remarkable rank of 119, 786 according to Alexa:

The redirections to this website have massively increased its rank in a relatively short period of time. Below is a graph taken from Alexa showing a leap in the website’s daily reach, which we believe is a direct result of the whole web attack and the traffic flowing from the compromised websites.

The fraudsters behind this campaign use a noteworthy technique of fetching sponsored links into their fraudulent website. Once the user clicks on one of the suggested topics on the website, the website searches in predefined suspicious search engines for the same topic, and shows a whole page featuring Yahoo! sponsored links accordingly.