Searchadv.com is a part of the umaxsearch.com pay-per-click affiliate search program and is known for working with home page hijackers. Searchadv.com has now started using a new type of scam: A fraudulent pay-per-click scheme that Sunbelt calls Misc.Iwin.Scam. In short, it’s a trojan that generates fake clicks. These clicks earn money.
Searchadv.com is running this fraudulent scheme through at least two methods at present:
The first involves the use of the WMF exploit served from the web site loomcompany.com (which Searchadv.com owns) that drops a payload file on PCs of victims who visit compromised web sites.
The second known method involves links to RAR compressed files that are disguised as “adult games” at the web site pornocollection.net site (also controlled by Searchadv.com). Users are effectively tricked into un-zipping these RAR files and then running the executables inside, which are not “adult games” at all but instead payload files.
Once their PCs are infected, either through a WMF exploit or the fake RAR porn game files, users see nothing to indicate their PCs have been compromised. Unbeknownst to users, the payload files dropped by these installation schemes are transmitting fake clicks in the background to Searchadv.com, which in turn passes those fraudently generated clicks to its own search feed partners.
Each time an infected computer restarts and re-connects to the Internet, the transmissions and fraudulent clicks resume.
Some of these advertising partners include:
c.enhance.com
tripreservations.com
c.goclick.com
oemji.com
rx-select.com
dealtime.com
shopzilla.com
looksmart.com
goclick.com
ads.ask.com
freegiftworld.com
freepayingsurveys.com
The list goes on . . .
One thing that makes this scheme especially dangerous is that victims are being lured to the WMF exploit pages through web pages designed to turn up in Google searches on completely legitimate, innocent terms. For example, the web page for cobrahealthinsurance.loomcompany.com turns up in a Google search for “Cobra Health Insurance.”
Users who click through to the web site, which is a sub-domain of loomcompany.com, could become infected with the Misc.Iwin.Scam Fraud Trojan if their PCs are not updated with the fix for the WMF vulnerability from Microsoft.
Patrick Jordan
Senior Spyware Researcher