Legitimate Web sites are being conned into carrying a Trojan masquerading as an income-generating partnership programme.
According to Seth Purdy, writing on the McAfee Avert Labs blog, iframeDollars appears to tout some "interesting" business practices.
Information on the organisation's front page tells Webmasters: “You only put up the short one line iframe code on your page(s) and start to make money.
"Without any Active-X console or any pop-ups … it means that you will not lose your unique visitors with our iframe!”
Purdy points out that this could mean the program uses sneaky installation tactics so the software won't be associated with the host site and thus drive traffic away.
Under the organisation's terms & conditions, it states: “Our program (size: 3kb) is loaded to the user and it changes the homepage and installs toolbar and dialer. It’s activated and revealed in 15-30 minutes after download."
According to Purdy, this describes blatant deception on their part – and means the program is a cleverly-designed Trojan.
Other information points to the Trojan being changed regularly (daily), and specifically targets Web sites with high traffic – with the promise of payment for each visitor.
Purdy points out: "Several DLLs associated with the installations were recently included in our detections as PWS-Banker Trojan variants.
"They dealt with inline web page code injection for the purposes of stealing account information while the victims were visiting their legitimate banking websites.
"Altogether we have indications of a sophisticated organised cybercrime operation shrink-wrapped as an above-board affiliate marketing programme."