Resolved bid.consulting-info.eu to s1.fclick.org (cname)
Resolved s1.fclick.org to 96.44.149.187
Server: bid.consulting-info.eu
Gate file: /feed/xml.php?uid=219
More click fraud courtesy of french hecker h4r3. This time it looks a bit more sophisticated though. I’m assuming this is an affiliate program as while it’s using h4r3’s domain it points to another site. If you search for a url containing %/feed/xml.php?uid=% on clean-mx you’ll find numerous other domains, many of which seem advertising related. Those that are still alive also point to s1.fclick.org.
The C&C seems to work similarly to the other click fraud bot posted, with urls to be clicked contained in a script on the page. Some of the urls are contained in redirects that expire minutes later, presumably after a certain number of clicks have gone through.
 |
| Initial redirects |
 |
| The same redirect a few minutes later |
The bot appears to use the same Firefox 16 useragent for all of the clicks.
More information about the site can be found at it`s phpinfo page, located here: hxxp://s1.fclick.org/1.php
A way to get in touch with the owner of the affiliate program is located here: hxxp://s1.fclick.org/r.php
A pastebin showing the C&C page is located here
Hosting infos: http://whois.domaintools.com/96.44.149.187
Anonymous - January 3, 2013 at 8:05 pm
another url linking there:
hxxp://reliablyrebroadcast.org/ad/feed.php -> hxxp://ad.zautoclick.com/
The rDNS points to the same fclick.org host.