Dmitry Samosseiko, SophosLabs Canada: The partnerka - What is it, and Why should care?
October 2009 by Dmitry Samosseiko, SophosLabs Canada
Scareware, ‘Canadian Pharmacy’ spam, adult sites, comment spam on forums and blogs – we’ve seen these plaguing our web and email experience over the past few years. What links them together? What makes them grow in volume and complexity? Who is behind them? What business model drives their profi ts to millions of dollars annually? The answer is hundreds of well-organized affi liate networks. They’re known as ‘partnerka’ in Russia, where they form a booming business, yet exist in other places as well. Thousands of affi liates, each calling themselves a ‘webmaster’, work day and night to drive as much user traffi c to their partners’ stores as possible. The stores sell fake watches, fake anti-virus software, fake pills and fake love – the webmasters get their commission, making thousands of dollars per day. This presentation will expose their economic model, as well as describe the most popular Russian ‘partnerka’ networks and their relation to spam and malware. It will reveal some ‘insider’ statistics and information, show the tools used for ‘black SEO’ (search engine optimizations), and explain its terminology and techniques. We’ll also discuss how traditional email spam has evolved into a complex web-based industry, creating new challenges for law enforcement, user education and for security labs.
The fi rst serious book about spam and spammers that I read was Spam Kings by Brian S. McWilliams (2004). The ‘pioneers’ of the email spam industry pictured in the book, like the ex-Nazi Davis Wolfgang Hawke, ran it as a small family business. Relying on nothing more than help from their relatives, they handled the entire process chain themselves: harvesting email addresses, authoring message content, sending bulk email, processing orders, rapidly switching their Internet service providers and, at a later stage, running from the FBI or being jailed.
Back in the early years there were a handful of ‘spam kings’ and they didn’t have much to fear. Thanks to The Spamhaus Project we knew their names, addresses, what cars they drove and their relative position in the top spammers list. Since then, many countries have established a variety of antispam laws governing the use of email communication and marketing, including the US, Europe, Australia and Canada. The legislation was not expected to eliminate spam and make the spammers extinct, but it did criminalize it, made it a punishable offence and as a result a much riskier endeavour. So, the second generation spammers had to become a more organized and secretive group, forming professional spam outfi ts or collaborating online, where ‘bot herders’ could fi nd their ‘sponsors’.
But the peak of their evolution was the adoption of affi liate marketing methods in order to distribute responsibility for different spam tasks and to increase the army of ‘advertisers’. Amongst the fi rst spam gangs formed this way was the affi liate network Genbucks/SanCash, founded by the notorious spammer Shane Atkinson. It later ceased to exist but became a ‘role model’ for hundreds of new networks.
The affi liate marketing models work well for products with
large profi t margins. Generic drugs produced without a
licence, pornography, pirated software, casinos, dating sites…
the list goes on. These are the topics we commonly see in
email and web spam, but not everyone knows that each theme
is backed by numerous affi liate organizations with thousands
of advertisers. Another fact, known to security industry
researchers, is that the majority of the most powerful and
controversial affi liate networks are based in Russia.
As an ethnic Russian and a security researcher, I didn’t want to
miss an opportunity to look into the not-so-well-hidden world
of Russian affi liate partner networks, commonly referred to in
slang as partnerka.
But let’s fi rst look at how the whole concept of spamming has changed.
‘WEB IS THE NEW EMAIL’
Over the years anti-spam fi lters have become a de facto
standard for any email service and are now providing effi cient
protection for almost every inbox. The fi lters continue to
impact spammers’ profi ts, forcing them to shift to new (yet
still aggressive) advertisement techniques.
During the same time period, the emergence of Web 2.0
technologies – the blogosphere, social networks – has changed
the way people communicate and fi nd information online. It
made the web a very attractive and powerful advertising
platform, not only to legitimate businesses but also to those
who sell generic drugs and counterfeit luxury items.
This isn’t surprising, given that a person searching for cheap
drugs online is a signifi cantly more valuable target to shady
online pharmacies than millions of email spam recipients
who’ve never asked for it.
Another appeal factor is that web traffi c today does not have a similar level of protection on the legal and the technological sides. There are no laws today that could be applied to spam on blogs or forums. And while various web fi lters do exist, they do not offer the same level of effi ciency or adoption as their email counterparts. This is especially true for home users who are the main target.
This explains why topical web traffi c is becoming the main focus of affi liate networks of a certain kind. It gives them a safe legal framework to work within and benefi ts the most from the scalable model that affi liate marketing offers. Unlike email spam, web marketing has a signifi cantly lower barrier to entry for a new member and offers an almost linear dependency between profi ts and the number of active ‘partners’.
Just as Web 2.0 is about user-generated content, today’s web and email spam (Spam 2.0?) is generated by a massive number of affi liates who direct traffi c to a partner site to get their share of the revenue.
This explains why the number 1 position on the Spamhaus Top
10 spammers list, previously held by the notorious Russian spammer Leo Kuvayev, is now taken by the ambiguous ‘Canadian Pharmacy’ group.
It’s important to mention, however, that there are literally
hundreds of affi liate networks in Russia and around the world
that promote legitimate products in relatively benign ways.
The focus of this research is on the sites that push products
that are deemed illegal in many jurisdictions and those that
endorse unethical or straight-up criminal promotion
techniques amongst their member base. But fi rst, let’s look at
the taxonomy and common characteristics.
At the top level these shady businesses can be distinguished
by the type of product or service they promote and sell. The
most popular kinds include:
• Online pharmacies selling generic versions of popular drugs.
• Networks promoting ‘scareware’, a.k.a. ‘rogue anti-virus’ products.
• Counterfeit luxury products such as fake Rolex watches.
• Adult sites.
• Dating services.
• Affi liate traffi c generated via IFRAME insertions.
The majority of networks require an invitation from an existing member in order to join. This is often a good indicator of a business that supports unethical promotion practices. Among the most risky are those that openly allow spam traffi c or sell rogue software. These partnerkas are usually closed to the general public (referred to as ‘private’) and require proof of traffi c volumes and a certain reputation to be let in. Their websites often reveal nothing but a form to log in.
Another good sign of a dodgy affi liate business is a complete lack of transparency with respect to business ownership. The only contact information usually provided is a set of ICQ numbers. The portal administrators usually go by their nicknames and never reveal their real names on support forums. The banner ads that invite people to join the partnerships are usually placed on forums dedicated to spam, hacking, black SEO (search engine optimizations) and other unethical or illegal practices.
All partnerkas are in strong competition with each other. Allegiance is earned through more generous commission rates, shorter ‘hold’ periods, support for a wider range of payment methods (ePass, WebMoney, Fethard Finance, wire transfers), higher quality promotional material, better support, etc. Many organize expensive parties for their members, send generous gifts for holidays, run lotteries where a top producer wins a luxury car, and the list goes on. In some cases, the war between different partnerkas turns ugly, where one portal may get DDoS’ed by a competing gang.
TRAFFIC GENERATION TECHNIQUES
Affi liate marketing is all about driving quality traffi c to your ‘sponsor’. So, how does one go about generating it? The ‘white hat’ Internet marketing involves running ads on quality websites or blogs which attract visitors by their useful content or functionality. This form of advertisement is rarely the case when we’re talking about Russian pharma- or codec-affi liates.
Crossing the ethical boundary pays well. The most common methods of traffi c generation for these sites include various forms of spam, black-hat SEO, malware and combinations of the above.
As noted above, email spam has become less popular amongst affi liates due to the high risk and steep entry barrier. This has been acknowledged by the affi liates themselves on SEO-related forums. But given that we see no shortage in the supply of ‘Canadian Pharmacy’ or ‘fake Rolex’ spam, it’s not going to go away any time soon. It’s just being carried out by a smaller ‘elite’ group of affi liates.
Another example of traffi c-generating malware is a variety of so-called DNS Changer trojans that can place promoted sites at the top of web search results. This is achieved by redirecting DNS records for Google.com and other popular search engines to a lookalike site controlled by the affi liate. The replica site will proxy search results from the real one with the necessary modifi cations made to the search results. Another example is the TDSS family which loads a variety of fake anti-virus software from partner sites. I suspect that the ‘TDS’ string seen in fi lenames (i.e. TDSServ.sys) of this malware means nothing more than ‘Traffi c Directing System’ – a common term in the SEO world.
When it comes to ‘pharma’, adult or ‘codec’ partnerka, the techniques most commonly used are known as ‘black-hat SEO’.
The main difference between white and black SEO is that the
former implies only using the methods approved by search
vendors, like editing content to increase its relevance to
certain search keywords.
Black SEO, on the other hand, relies on techniques like spamdexing, ‘doorway’ pages and spam messages posted on blogs and forums.
The most popular is the creation of ‘doorway’ sites. These sites host content specifi cally created and optimized for a particular topic and search phrases. It would link to a Figure 1: The ‘Canadian Pharmacy’ group now holds the number one position in the Spamhaus Top 10 spammers list. promoted site using a URL containing affi liate ID. When a search engine indexes a ‘doorway’ with a high density of related keywords it’s likely to increase the page rank of the site referred to by the page, giving it a higher position in search results.
The common black SEO workfl ow involves:
1. Mining of Google Trends data for most popular search topics, whether it’s ‘britney spears’ or ‘death of david carradine’.
2. Generating content related to popular search phrases and linking it to a promotional site.
3. Uploading content as a blog or forum post, Wikipedia article or as a site on a ‘throwaway’ domain. Most of the steps in this process can be automated by various SEO software tools.
For example, the program ‘John22’ will automatically generate HTML content for dozens of unique and meaningful content pages per second, will link them together, upload them via FTP and notify Google about the new site. The authors claim that even humans have diffi culty recognizing that the content was generated automatically and that it’s impossible for a search engine to tell the difference. Other tools focus on automated parsing of search trend data, generation of unique content from Wikipedia articles and production of complete online forum sites with fi ctional user communities and conversations.
A special area of black SEO tools are the various spamware tools for blogs, forums and guestbooks, the most popular of which are A-Poster and Xrumer. Their functionality is similar to email spam-sending tools of the recent past, like SendSafe or DarkMailer.
A-Poster specializes in spamming guestbooks, while Xrumer works on forums. The latter provides support for automated forum registrations which often require a valid email address and a confi rmation. The entire process is fully automated and includes CAPTCHA recognition to generate hundreds of free email accounts.
ZennoPoster is yet another suite of tools that is able to generate accounts on any webmail site, social networks, blogs, free web-hosting providers, etc. It can send SMS messages, parse search results, place spam on forums and guestbooks and perhaps brew a coffee, though this feature wasn’t advertised. And all this treasure goes for a mere 289 euros. If this all sounds too complex, the web traffi c could simply be bought from a link exchange store and directed to your sponsor. The trick is to choose a partnerka with a high conversion rate to ensure that generated revenue will be greater than the cost of the traffi c itself. Now, let’s look at some of the most prolifi c affi liate business types.
The online pharmacy is one of the most popular kinds of ‘affi liate promotions’. The oldest and biggest partnerka in the Russian pharma-business is GlavMed, which can be translated as ‘MedHeadquarters’.
This partnerka is open to the public but requires an invitation from another network member. Its main brand is the notorious ‘Canadian Pharmacy’, which is all too familiar to everyone through massive email spam campaigns that seem never to end. This spam is tied to a sister entity of GlavMed, called SpamIt (spamit.com), which is a closed private network of email spam affi liates that has proven hard to infi ltrate. The members of SpamIt are allegedly the group behind the Storm, Waledec and potentially Confi cker botnets, responsible for email distribution and fast-fl ux hosting of the spam websites.
GlavMed, on the other hand, proclaims a strong anti-spam policy focusing on ‘legal’ SEO traffi c generation. Searching for GlavMed’s support phone number (+1 (210) 888 9089) reveals over 120,000 online pharmacy sites selling generic drugs.
We discovered, however, that the PHP-based e-commerce backend (SE2) available for download from GlavMed’s user area is exactly what powers the ‘Canadian Pharmacy’ sites advertised in spam. Just like any other partnerka, GlavMed starts with a public portal, the main part of which is the members’ area with statistics on store visits, purchases and commission earned. Many webmasters claim to be addicted to these stats pages, watching intently how the traffi c they generate converts to payments.
Every affi liate has an option to download two versions of GlavMed’s e-commerce software to deploy on their own domains or simply to direct traffi c to a set list of domains owned by GlavMed. The former provides more fl exibility for customization and SEO optimizations. Each store deployment contains a backdoor interface that allows GlavMed’s order processing system to collect hit statistics and purchase orders. Another core feature of the main site is the forum where affi liates discuss issues, share ideas and get attentive and high quality support from the partnerka owners. GlavMed advertises a 40% commission fee on each sale. Assuming the cost of an average purchase is around $200, even a couple of purchases per day become a good source of income.
During our research we came across a log fi le of purchases made on ‘Canadian Pharmacy’ websites advertised in email spam. This data revealed over 20 drug purchases per day per spam campaign, which can add up to $1,600 paid in commission fees per day. Correction: there were in fact 200 purchases per day average (not 20), which could lead up to $16,000 in payments (not $1,600).
While GlavMed is one of the oldest and clearly the most popular pharma businesses, there are legion others. Stimul-cash.com, Rx-partners, Rxcash.biz, Evapharmacy, Rx-Signup.com and DrugRevenue names just a few. Most of them focus exclusively on web promotion methods, while a small portion still unoffi cially support traffi c generated through email spam. According to messages posted on relevant forums, GlavMed and Evapharmacy are the most spamfriendly sponsors in the world of ‘pharma’.
CODEC- AND SOFT-PARTNERKA
Over the last two to three years we’ve witnessed an emergence of a new Internet threat called scareware, which quickly became one of the most prevalent kinds of malware.
This threat exploits the increasing fear among users of computer malware and relies on various social engineering tricks or software exploits to install a fake security product. The rogue software is both annoying and hard to get rid of, unless you’re willing to pay $30–$50 for the fake product or a similar amount of money to buy real defence. This shouldn’t be big news to anyone these days, even though some people still fall victim to it.
What is not common knowledge, though, is that this Internet threat is predominantly driven by Russian partnerka networks. These ‘sponsors’ are often called ‘pay-per-install-’, ‘soft-’ or ‘codec-’ partnerka. The latter is related to the most commonly used social engineering technique that fools people into installing a video codec or a Flash player update to watch video content. The commission paid to affi liates is usually based on the number of ‘loads’ (installations) achieved. For the soft-partnerka networks, also known as antispywarepartnerka, the revenue sharing is based on actual sales of fake software.
In addition to actual software, each ‘sponsor’ also provides promo material, which is usually a set of HTML designs and scripts that entice users to click and install. The most popular was the different variations of ‘PornTube’ – a youtube.com lookalike offering adult videos for free.
Due to the openly criminal nature of these affi liate groups, the codec-partnerkas do not last very long. Most of them are exclusively private and require affi liates to have a certain reputation in the SEO world before they can be admitted as members. But there are some, like Buckster.ru, that are more relaxed about new registrations.
Buckster advertises itself as a partnerka for ‘garbage’ traffi c. Its two core ‘brands’ are WinXdefender and VirusDoctor – both perfect examples of rogue AV software. Once registered, you can log into an admin interface, showing you the URLs to advertise and your current statistics. As you can see in the screenshot in Figure 5, the author of this paper, though tempted, did not generate any traffi c for his fi nancial gain.
Having this sort of access can often expose useful information to a security researcher. The main benefi ts are the fresh links to promotional sites and the software binary itself. Both could be used to maintain a high level of detection for this threat and can drive development of a broader protection layer. In this particular example, the DNS network hosting the TDS domain (Traffi c Direct System) contains a number of other fake AV-related websites that could be blocked as soon as they get registered.
Another very popular – but a bit more private – codec-partnerka is RefreshStats. Despite its efforts to stay private we were able to take a peek at its admin interface. One of the affi liates was careless enough to upload a screenshot of their desktop to one of his ‘PornTube’ sites (Figure 7). The screenshot offers a picture of the admin portal with this affi liate’s earnings and hit statistics ($6,456 for the month of August 2008).
Mac users are not immune to the scareware threat. In fact, there are ‘codec-partnerka’ dedicated to the sale and promotion of fake Mac software. One of the recent examples is Mac-codec.com. At the time of writing this article, the site is no longer available, but just a few months ago it was offering $0.43 for each install and offered various promo materials in the form of MacOS ‘video players’. Often enough, some interesting information can be obtained directly from the partnerka home pages, without needing to register.
For example, yet another scareware vendor, Topsale2.ru, states on its front page that only traffi c from the USA, Canada and Australia is being accepted and that the commission rate is up to $25 per sale. Its promo materials include ‘web scanners’ (a dynamic HTML page that deceives users into believing that their PCs have been scanned and that viruses were found), codecs (pages with fake video players that require an ‘update’) and three different variants of EXEs (the actual payload). They do not shy away from saying that one of the executables advertised was made specifi cally for loading into a botnet.
The site claims the average traffi c conversion rate is $100–$250 per 1K loads, which with $25 commission rate implies that up to 10 of every 1,000 users infected with a fake AV threat end up actually paying for it.
To further convince potential affi liates to sign up the home page links to sample statistics for an average member ($4916 commission paid in 11 days).
Again, we can see how a successful webmaster can make over $180,000 per year on this network alone from traffi c averaging 10K visits per day. Assuming that most webmasters direct their traffi c to more than one sponsor at a time, it is no surprise that affi liate marketing and black SEO are extremely appealing career paths for a computer savvy person in Eastern Europe.
In 2008 we observed a record number of codec partners’ sites – CodecCash, SmileCash, OXOCash, Go-Go-Cash, IframeVip, Bucks Loads, Ruler-Cash, 3XLCash, SpicyCodec, VIP Codec, K2Cash, VIPSoftCash, Topsale.us, RulerCash, CashPanic, Traffi c-Converter.biz and SoftwareProfi t, to name just a few. With each maintaining its own set of software and promo material, there is little wonder that the volume of rogue anti-virus applications and codec doorway sites has risen to unprecedented levels in recent years. The majority of the aforementioned sites appear to have gone away for a variety of reasons. Some of them blame their billing systems which turn accounts down as soon as they recognize that they are related to scareware sales. Others were exposed by Brian Krebs in his Security Fix blog in the Washington Post, and by other security researchers. These articles often initiate a take-down effort similar to what happened to McColo, EstDomains and 3FN.
But there is a new trend emerging. Here is an excerpt from a blog post made on 6 June 2009 by the CashPanic team: ‘... this business is no longer as attractive as before due to high costs and risks which no longer get compensated by the declining profi ts ...’
We can only hope that this trend is affecting all of the fake anti-virus vendors and that we will soon witness an end to it.
Affi liate web marketing attracts thousands of people motivated by the high earning potential and the fl exibility of self-employment. The examples mentioned in this article are merely the tip of the iceberg. The affi liate networks focused on the promotion of illegal products are part of a growing multi-million dollar ‘industry’. Affi liate web marketing also became the main driving force behind the recent explosion in malware, website infections, email spam and general web pollution.
At the same time we see some hopeful signs. Security researchers are working closely with law enforcement to orchestrate rogue network take-downs. Billing and hosting companies are becoming more responsive to abuse reports and do stop providing support to rogue businesses. The most dangerous sides of the affi liate business such as scareware are being forced to close or go underground, which impacts their operational costs.
All this good news will not completely eliminate unethical and illegal Internet practices, but the effects may reduce the impact to a manageable level. Figure 9: Topsale’s sample statistics for an average member.