Google AdSence MitM Infected One Million Computers!

The so-called “redirector.paco botnet” steals advertising revenue

A hacking group of cyber criminals has infected about 1 Million computers around the world with a malicious script that hijacks user’s search results pages through a local proxy. This was revealed by security researchers from Romania. The massive click-fraud botnet was named Million-Machine Campaign or MitM.

For those of you who are not aware what botnet is – this is a network of computers infected with malware. Not just a malware, but a piece of malicious script that is specially designed to take over the entire infected system, and all this, without the user’s knowledge. These botnets are usually being used for launching denial-of-service (DDoS) attacks against websites.


The malicious script behind this massive botnet attack is known as Redirector.Paco Trojan. It alone has infected more than 900,000 computers all around the world in the past two years. According to the security researchers, since it first appeared back in September 2014, “redirector.paco botnet” has infected computers all across the world, mostly in India, Malaysia, Greece, and USA as well as Italy, Pakistan, Brazil, and Algeria.

The so-called “redirector.paco botnet” works by replacing Google AdSense for search results with its own application, this way stealing advertising revenue from infected machines. The aim of the cyber criminals, of course, is to earn money from AdSence.

Google AdSence normally operates by placing relevant ads on Custom Search Engine’s search results pages, and then shares some of the revenue with AdSence partners. It looks like this hacking group has found a way to make a botnet scheme taking advantage of this revenue sharing, which works only for them.

Redirector.Paco infects users through a Trojan which hides in infected software packages. This happens when users download and install compromised versions of popular software programs like YouTube Downloader, pirate WinRAR, KMSPico, Stardock Start or Connectify.

Experts reveal that the Paco malicious script serves as a man-in-the-middle attack. It uses a root certificate in order to discard the certificates for the famous search engines of Google, Yahoo, and Bing, which are accepted by the infected computer’s browser.

In order to stay away from these kinds of cyber threats, follow the basic online security measures. Our “How to remove” team would advise you to keep your system and antivirus software updated. It is a good idea to always pay attention to warning signs and symptoms that may reveal if something is not right with your PC. And don’t forget to check the news regularly.

About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment