Affiliation networks: Google AdSense for hackers

The next big threat to Web security has less to do with phishing and more to do with affiliation networks, according to a recent Web security report.

According to Finjan, a San Jose-based Web security provider, hackers are now using sophisticated affiliation networks that provide a hosting model for malicious code. Webmasters and bloggers who include the infected code on their sites are then paid according to the number of infected visitors they accumulate.

Think Google AdSense -- but for hackers.

Users who run blogs or small Web sites can generate small money through services such as Google AdSense or DoubleClick.

"You hope somebody will click on those ads to get some pennies," Yuval Ben-Itzhak, CTO of Finjan, said. "But, hackers have realized that with their own affiliation programs, they can encourage bloggers and Webmasters to include their hidden ads in exchange for big dollars."

In a malicious code package obtained by Finjan, payouts are shown to range from as low as $15 to as high as $500 (per 1000 infected users) depending on the country. Interestingly, generating infected users from Australia will earn affiliates the high dollar amount.

Ben-Itzhak said that these hackers can afford pay these huge rates because of the valuable information they gather from infected users.

"The malicious code includes Trojans and keyloggers that collect data, such as credit card information, which is later sold online for big profits," Ben-Itzhak said. "And because the code is hidden, everyone visiting the site won't suspect it's been compromised and the Webmaster won't be alerted either."

Ronald O'Brien, senior security analyst at anti-spam software provider Sophos, said that this form of infection is often seen in Web 2.0 sites such as Wikipedia and MySpace because they allow user editing. However, he said, these techniques have now made their way to traditional Web sites.

"Web sites that don't necessarily promote editing, but because they are architecturally insecure, allow this type of hacking to occur," O'Brien said. "Plus, people who threw up Web sites for the purpose of having a presence on the Web, often did so by using an open-source code, and this has effectively left the keys in the lock for hackers to exploit."

But Ben-Itzhak said, pretty much any site can be at risk, as these affiliation network techniques have even been used when compromising highly popular Web sites or government domains.

"When we contact the site owners, they are usually surprised and don't believe they are infected," he said. "But when we show them the code they are shocked."

Ben-Itzhak said that hackers who can successfully insert malicious code into highly popular and reputable sites are often in a win-win situation. "Firstly, the high-traffic Web sites lead to more users," he said. "Secondly, these high-traffic sites will never be blocked by URL filtering and reputation services because they are established domains."

This represents a major change from several years ago, when hackers were content with simply changing a Web site's graphics in order to prove they had defaced it, Ben-Itzhak said.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.