Select Page

After working with the folks at and we’ve sorted out the trail left by scammers behind Trojan.StartPage.SSSPP.

Basically, it was a two-step click-fraud operation that centered on changing (victim) Web users’ home pages to redirect to sites (including Those visitors who (unwillingly) went to sites as a result made money for the iframedollars/virut gang.

Step 1 – The gang offered a Trojan downloader (Trojan.StartPage.SSSPP) on a crack site that redirected victims’ home pages to various sites.

Step 2 — The gang had become an advertising affiliate of and the visitors that were sent to the sites as a result of the Trojan, carried the gang’s affiliate ID (in URLs). So, the gang was getting paid for all the visits.

We said Friday that the sites were infected with Trojan.StartPage.SSSPP. As a result their site was blacklisted. As it turned out, at no time were sites or ever infected or hosting any malware to infect visitors.

Based on Sunbelt research, was able to identify the affiliate ID that belonged to the gang and ban it as an affiliate.

Glad Sunbelt could help. Sorry about the blacklist thing.

Tom Kelchner

(Patrick and Alex too)