Resolved bid.consulting-info.eu to s1.fclick.org (cname)
Resolved s1.fclick.org to 18.104.22.168
Gate file: /feed/xml.php?uid=219
More click fraud courtesy of french hecker h4r3. This time it looks a bit more sophisticated though. I’m assuming this is an affiliate program as while it’s using h4r3’s domain it points to another site. If you search for a url containing %/feed/xml.php?uid=% on clean-mx you’ll find numerous other domains, many of which seem advertising related. Those that are still alive also point to s1.fclick.org.
The C&C seems to work similarly to the other click fraud bot posted, with urls to be clicked contained in a script on the page. Some of the urls are contained in redirects that expire minutes later, presumably after a certain number of clicks have gone through.
|The same redirect a few minutes later|
The bot appears to use the same Firefox 16 useragent for all of the clicks.
More information about the site can be found at it`s phpinfo page, located here: hxxp://s1.fclick.org/1.php
A way to get in touch with the owner of the affiliate program is located here: hxxp://s1.fclick.org/r.php
A pastebin showing the C&C page is located here
Hosting infos: http://whois.domaintools.com/22.214.171.124