Conventional wisdom suggests that an HTTPS connection is a secure one; the "S" stands for "secure" right there in the abbreviation. However, a new bit of adware known as Redirector.Paco is making a mockery of the secure hyptertext transfer protocol by stealing millions of dollars in ad revenue through supposedly secure servers. Worse still, the attack has already made its way to almost 1 million machines, with no sign of slowing down.
Researchers with Bitdefender, the Romanian antivirus maker, published information about Redirector.Paco on the company's Labs blog. The mechanics of the program are quite complex, but in basic terms, it acts as a man-in-the-middle attack on web connections and abuses Google's AdSense for Search program. AdSense for Search is a benign and perfectly legal (if sometimes annoying) mechanism by which website owners use customized versions of Google Search to display relevant content and ad links in search results.
Under Redirector.Paco, search queries to Yahoo, Bing and regular Google get redirected to a set of AdSense for Search results customized by fraudsters. Rather than displaying the most relevant results, the search will lead users to different results, including ad links that earn money for the fraudsters -- a process called "clickjacking."
Even if users don't click on the ads, AdSense will still channel money toward the attackers just for attracting eyeballs. By exploiting AdSense’s modus operandi, Redirector.Paco can force companies to pay up good money from their advertising budgets for garbage results. Bitdefender says the adware is currently installed on more than 900,000 machines worldwide, primarily in India, but also in Malaysia, Greece, Italy, the United States, Pakistan, Brazil and Algeria.
What makes the adware particularly pernicious is that it's quite hard to tell it apart from a legitimate search result. Rather than using an insecure HTTP connection (as most AdSense scams would), it connects via an HTTPS server, complete with SSL authentication. The fact that the rogue server is verified by the "DO_NOT_TRUST_FiddlerRoot" certificate, however, should probably raise a few eyebrows.
There are a few other telltale signs that the connection has been hijacked, including tweaked AutoConfigProxy values in the Windows Registry, and "Waiting for proxy tunnel" or "Downloading proxy script" messages while the site loads. Still, these are rather subtle signs, even for experienced Internet users who probably don't expect any foul play. There are also two slightly different versions of the redirector, only one of which displays the suspicious messages, making matters even more confusing.
It's also not 100 percent clear where Redirector.Paco comes from. Bitdefender observed that it was making the rounds on less-than-reputable download sites, bundled with legitimate programs such as the compression/decompression software WinRAR (and less legitimate stuff, like YouTube downloaders). Beyond that, the adware's origins are murky, and the clickjacking campaign it enables doesn't appear to be dying down.
The good news is that Redirector.Paco appears to be run-of-the-mill adware/malware (it’s a bit of both, using malicious techniques to fraudulent but not-especially-dangerous ends). Most good antivirus programs should get rid of it, if not today, then within the next few days.
The unfortunate subtext, then, is that a million PC users can't be bothered to run good antivirus software. Don't be one of them.