Fighting malware and spam

Pay-per-click

February 2007

An interesting trend in phishing emails has been seen recently in the wild, using a method often used in commercial emails, known as 'pay-per-click'.

The phishing emails contain a link which does not go directly to the fake website, but redirects the user first to a pay-per-click website, and then on to the fake website. Examples of pay-per-click services are Google's Adwords and Doubleclick.net. Each time a link is clicked, a very small amount of revenue (usually around $0.01 per click) is generated for the party that presented the link. This technique also helps to obfuscate the fake URL in the email, making it look less unusual to the inexperienced user. It might also prevent some anti-phishing toolbars from identifying the target website correctly.

This technique has additional value for the fraudsters, because it provides a means to verify how many individuals have clicked on the phishing link. Practically, they check how many people visited the website from those to which they sent spam. This is a smart way to gain extra money from reselling the email addresses, because this extra check will prove that the email addresses are valid and in use. Of course, it doesn't show which addreses are valid, but this doesn't really matter.

This model of constructing the phishing URL is not new, but the recent increase in its usage is proof that more and more fraudsters are trying to find new sources of income, therefore adapting themselves and their business models to the new environment in which people are becoming more aware of the dangers of phishing.

Sorin Mustaca, Avira