bid.consulting-info.eu (Click fraud botnet hosted by quadranet.com)

Resolved bid.consulting-info.eu to s1.fclick.org (cname)
Resolved s1.fclick.org to 96.44.149.187

Server:   bid.consulting-info.eu
Gate file:  /feed/xml.php?uid=219  

More click fraud courtesy of french hecker h4r3. This time it looks a bit more sophisticated though. I’m assuming this is an affiliate program as while it’s using h4r3’s domain it points to another site. If you search for a url containing %/feed/xml.php?uid=% on clean-mx you’ll find numerous other domains, many of which seem advertising related. Those that are still alive also point to s1.fclick.org.

The C&C seems to work similarly to the other click fraud bot posted, with urls to be clicked contained in a script on the page. Some of the urls are contained in redirects that expire minutes later, presumably after a certain number of clicks have gone through.

Initial redirects

The same redirect a few minutes later

The bot appears to use the same Firefox 16 useragent for all of the clicks.

More information about the site can be found at it`s phpinfo page, located here: hxxp://s1.fclick.org/1.php
A way to get in touch with the owner of the affiliate program is located here: hxxp://s1.fclick.org/r.php
A pastebin showing the C&C page is located here

Hosting infos: http://whois.domaintools.com/96.44.149.187

Categories: Uncategorized

1 Comment

Anonymous - January 3, 2013 at 8:05 pm

another url linking there:

hxxp://reliablyrebroadcast.org/ad/feed.php -> hxxp://ad.zautoclick.com/

The rDNS points to the same fclick.org host.

Comments are closed