SC Magazine is reporting that cyber criminals have opened an online store selling Web traffic by hijacking other Web site’s traffic. The shop injects hidden integrated frames into pages of legitimate Web sites to redirect visitors to the buyer’s URL.

Integrated frames split pages into parts that are used to embed windows from another Web site. When an iframe’s height and width is set to zero, it becomes invisible.

Customers can purchase 1000 visitors through the online store for an average of $4.

Regional traffic prices do vary with 1000 Dutch visitors costing $18 while 1000 visitors from Australia is only $8. One thousand visitors from the U.S. is only $12.

The shop will also purchase redirected traffic from others. Sellers can inject their own iframes and sell the resulting traffic to the shop.

The operator said that the service does not record any IPs, no one will ban your account and they don’t care what you’re promoting.

The shop can adjust prices automatically based on supply and demand.

The site was originally created for personal use but was opened for public use after the realisation that money could be had.

There are “legal” options to buy Web traffic, but what this shop offers is definitely illegal. If you want to increase your Web traffic, use the old fashioned method of promoting via social media like Facebook and Twitter.

Wal-Mart, Target, USA Today, and several university websites displayed an awful truth in search results observed by Danchev. They and many others received unwanted search optimization via the injection of iframes through code added to search queries into their sites.

The attacks started two weeka ago, and have evolved into what Danchev wryly called “what looks like a large scale web application vulnerabilities audit of high profile sites.” He believes over a million search queries have been poisoned, due to insufficient security on the web applications affected by them.

When people do a site search on the affected domains, these infected sites redirect visitors via the iframes to bogus security software or variants of the notorious Zlob Trojan malware. Zlob grabs malware from other servers, and loads it onto a compromised PC.

Danchev noted in his post the IP addresses of the iframes being injected into these high profile sites resolve to locations in New York City, Berlin, and Panama. He noted Google is actively filtering search results leading to iframes on the affected servers, which makes it hard to determine going forward which sites may have been newly infected.

Blame poor input validation for the problem. The web applications being victimized are not sanitizing code being appended to search queries made on their sites, resulting in search results being poisoned. InfoWorld noted how these results sometimes get submitted by the sites back to Google, where other searchers will find the malicious pages.