Usual nasty business!

Some time ago, one of our members informed us that a website he visited was exhibiting a strange behaviour. In fact, he found that www.exemple.com (we voluntarily changed the real name of this website) shows some completely different contents depending on the path followed by the visitor to reach it.

This behaviour is often known as "cloaking". The web server performs this cloaking by first looking at the headers included in the visitor’s HTTP request (typically the "user-agent" and "referrer" fields) before deciding to display a given web page or another one. The term "cloaking" is mainly used when the technique is set against search engines in the expectation that the cloaked pages will get a higher ranking score in the results pages.

In the case of the www.example.com website, the "cloaking" scheme was used to display alternate contents to the visitors which come from a result page of the Google search engine. These alternate contents, which exactly look like a blog page built from a www.blogger.com template, are saying:

• You are interested in "exemple.com", are you?
• If so, you should also look at the following web sites!

Half a dozen of links to websites allegedly related to www.exemple.com are then listed on the blog page.

After deeper investigation, we were able to affirm that www.exemple.com has actually been hacked and that the cloaking mechanism has been silently installed by the hacker (the website’s owner is not aware of it). The links listed on the fake blog page are actually "pay per click" links: each time a visitor clicks on such a link, the hacker receives a small remuneration from the visited site (an hidden parameter named "Affiliate-Id" is included in the URLs in order to tell the visited site which affiliate should be rewarded). If you are interested and want to learn more technical details regarding this hacking technique, you can read the analysis published by François Paget on the McAfee Avert Labs’ blog, an analysis originating from a common work with the Cert-IST.  

After searching on Internet using some "Google hacking" techniques (see the article on "Google hacking" we published in March 2005) we found that more than 80 other websites have also been modified by the same "cloaking" scheme. It seems that the hacker behind that has imagined the following questionable "business":

• First hacking as much as vulnerable websites as possible.
• Then installing on each a "cloaking" mechanism that displays attractive "pay per click" links to visitors reaching the site from a Google search.
• Finally, earning money for any click performed by such visitors on these links.

If enough websites participate into this "business", the revenues could be rather significant.

This scam can be presented as a "usual nasty business" because, although it is illegal, it is also almost harmless:

• The hacked website is not affected for any visitor who does not come from the Google search engine.
• The fake blog page presented to Google visitors is harmless. It does not try to attack visitors. It just displays links which may look attractive. If the visitor clicks on one of these links, he will visit a genuine website (but not really related to his matters) and probably loose just a couple of seconds before he goes somewhere else.

We call it a "usual nasty business" also because nobody seems to care about that "business". In particular, companies that remunerate "pay per click" links apparently do not really care about the methods their affiliates used to direct visitors to their sites. They probably think that "a visitor is a visitor" and spend more time fighting against pay-per-click bots (i.e. compromised machines that host "bots" generating fake "clicks") than fighting against unethical affiliates.

Finally, it is a "usual nasty business" because I suspect that the risk for the hacker to be prosecuted should be very low (is there any financial loss for the impacted parties?). I am sure that some of these hackers that use that type of scam feel like Robin Wood…

A last word to conclude this article: The hacked site cited in the article from François Paget published two months ago is still alive … and still hacked by the same cloaking scheme… Business as usual!