After working with the folks at Highprofits.com and Fliqz.com we’ve sorted out the trail left by scammers behind Trojan.StartPage.SSSPP.
Basically, it was a two-step click-fraud operation that centered on changing (victim) Web users’ home pages to redirect to Highprofits.com sites (including fliqz.com.) Those visitors who (unwillingly) went to Highprofits.com sites as a result made money for the iframedollars/virut gang.
Step 1 – The gang offered a Trojan downloader (Trojan.StartPage.SSSPP) on a crack site that redirected victims’ home pages to various Highprofits.com sites.
Step 2 — The gang had become an advertising affiliate of Highprofits.com and the visitors that were sent to the Highprofits.com sites as a result of the Trojan, carried the gang’s affiliate ID (in URLs). So, the gang was getting paid for all the visits.
We said Friday that the Highprofits.com sites were infected with Trojan.StartPage.SSSPP. As a result their site was blacklisted. As it turned out, at no time were Highprofits.com sites or Fliqz.com ever infected or hosting any malware to infect visitors.
Based on Sunbelt research, Highprofits.com was able to identify the affiliate ID that belonged to the gang and ban it as an affiliate.
Glad Sunbelt could help. Sorry about the blacklist thing.
Tom Kelchner
(Patrick and Alex too)