Select Page is a part of the pay-per-click affiliate search program and is known for working with home page hijackers. has now started using a new type of scam: A fraudulent pay-per-click scheme that Sunbelt calls Misc.Iwin.Scam. In short, it’s a trojan that generates fake clicks.  These clicks earn money. is running this fraudulent scheme through at least two methods at present:  

The first involves the use of the WMF exploit served from the web site (which owns) that drops a payload file on PCs of victims who visit compromised web sites.

The second known method involves links to RAR compressed files that are disguised as “adult games” at the web site site (also controlled by Users are effectively tricked into un-zipping these RAR files and then running the executables inside, which are not “adult games” at all but instead payload files.

Once their PCs are infected, either through a WMF exploit or the fake RAR porn game files, users see nothing to indicate their PCs have been compromised. Unbeknownst to users, the payload files dropped by these installation schemes are transmitting fake clicks in the background to, which in turn passes those fraudently generated clicks to its own search feed partners.

Each time an infected computer restarts and re-connects to the Internet, the transmissions and fraudulent clicks resume.

Some of these advertising partners include:

The list goes on . . .

One thing that makes this scheme especially dangerous is that victims are being lured to the WMF exploit pages through web pages designed to turn up in Google searches on completely legitimate, innocent terms. For example, the web page for turns up in a Google search for “Cobra Health Insurance.”

Users who click through to the web site, which is a sub-domain of, could become infected with the Misc.Iwin.Scam Fraud Trojan if their PCs are not updated with the fix for the WMF vulnerability from Microsoft.

Patrick Jordan
Senior Spyware Researcher