In the latest twist on website exploits for profit, Web hackers have begun to turn sites they've exploited into sources of fraudulent Web traffic for anyone willing to pay. By using inline frames (iframes) injected into the HTML of a website, they can redirect visitors to the site to anywhere on the Web.

The site, which has been cited both by RSA's security blog and SC Magazine, is operated by a Russia-based group of hackers who, much in the fashion of Amazon, created the capability for their own use first and then realized its potential profitability as a larger service—to others who want to make a quick buck off Web advertising fraud, launch drive-by download attacks on users' browsers, or run other scams based on illegitimately gained page views.

iFrames load and execute webpages within the body of another page. Legitimate websites use iFrames to redirect to content while concealing its source; iFrames are widely used in all sorts of Facebook applications to deliver content within the Facebook environment. But they're also used by more marginally ethical search engine optimization hackers, and are a standard element of most Web fraud.

Generally speaking, hackers usually leverage iFrames through compromised websites or pages within websites, or through injecting HTML into a user's browser via a botnet trojan. If a hacker is able to insert an iFrame into an advertisement, comment, or other element on a page on a high traffic website (or inject one directly into a browser), it can hijack visits and deliver thousands of pageviews to targeted sites.

It's not clear whether the entrepreneurial crew that launched the iFrame traffic shop is exploiting botnets to get its traffic. Their website allows visitors to pay for 1,000-pageview blocks of traffic to a specific URL—each block costing about $4. It's also possible to target specific geographic areas for traffic for a higher price: $12 per thousand US visitors, $8 per every thousand Australians, and $16 for every thousand Austrians.

And the site also allows users to sell traffic through their own sites, providing code for an iFrame that can be placed on their own site (or someone else's) in return for a cut on profits for the traffic. When combined with a botnet, this sort of networked scam can generate thousands of dollars for the botnet operators—using the iFrame code in a hidden browser window, for example, to run up thousands of page views through a traffic market. And it could be combined with other clickjack attacks, such as fraudulent Facebook apps and other social malware to generate revenue for hackers while they try to harvest personal information from the people they attack.

While RSA's fraud researchers say that this particular shop is "one of the only instances" of hackers offering their traffic to other would-be Web fraud perpetrators, the practice is growing—and increasingly offered out in the open. And the use of "junk traffic" is already fairly widespread. Sites like iFrame.us claim to deliver "traffic from clean sites only" (sites without malware involved), promising one million page views from Europe and Asia for only $299 for sites that want to boost their views.

Listing image by Photograph by Pete