This is only the tip of things but it is a good example of how traffic is being diverted from many places.
The following comes from 1 click on an infected machine. Everything in the quote all took place in about a second.
Notice that after clicking an ad on the Google results, it takes the user through the Google ad to the intended advertiser. It is then redirected so fast that most people won't even realize they even went to the intended site.
So, the advertisers on Google(and the other engines) are getting hit by a PPC charge, for traffic that really doesn't even make it to their site, but for a millisecond.
The traffic that is redirected is sent to various smaller PPC engines, through multiple redirects. The user finally lands at a, non-affiliated, top paying advertiser for these various PPC engines and the terms used. In this case the term was 'tomato seeds'.
this is happening for all keywords and all niches, mainstream and adult.
Code:
GET http://www.google.com/search?hl=en&q=tomato+seeds&btnG=Google+Search
200 OK
GET http://85.255.119.189/frame.php
200 OK
##### Ad click started here #####
GET http://www.google.com/pagead/iclk?sa=l&ai=BjKu1_sNARsnNGpOYgQOgg8SqDPrVqB6Ws_XxA_bK6IAB4M0vCAAQARgBKAM4AFDEz9zh-_____8BYMme94fso-QXmAHAqQegAZ2ok_8DqgEEMk5SU8gBAYACAdkDI1XjKDBjSCg&adurl=http://store.tomatofest.com/%3FClick%3D2
302 Found to http://www.googleadservices.com/pagead/adclick?sa=L&ai=BjKu1_sNARsnNGpOYgQOgg8SqDPrVqB6Ws_XxA_bK6IAB4M0vCAAQARgBKAM4AFDEz9zh-_____8BYMme94fso-QXmAHAqQegAZ2ok_8DqgEEMk5SU8gBAYACAdkDI1XjKDBjSCg&adurl=http://store.tomatofest.com/%3FClick%3D2&val=ChAzMTIzMTJmNGNmODUyMzQ3EMn07LEEGggd1oiS36BCxCAB
GET http://www.googleadservices.com/pagead/adclick?sa=L&ai=BjKu1_sNARsnNGpOYgQOgg8SqDPrVqB6Ws_XxA_bK6IAB4M0vCAAQARgBKAM4AFDEz9zh-_____8BYMme94fso-QXmAHAqQegAZ2ok_8DqgEEMk5SU8gBAYACAdkDI1XjKDBjSCg&adurl=http://store.tomatofest.com/%3FClick%3D2&val=ChAzMTIzMTJmNGNmODUyMzQ3EMn07LEEGggd1oiS36BCxCAB
302 Found to http://store.tomatofest.com/?Click=2&gclid=CPu04_mb_4sCFQqgYgodaRs_zA
GET http://store.tomatofest.com/?Click=2&gclid=CPu04_mb_4sCFQqgYgodaRs_zA
200 OK
GET http://85.255.119.189/click.php?PHPSESSID=B043EDE50C4D4AACA85F6083F8EFF1CF&qq=b01bb5eae6568bd2aa6bd8a775309ac1&id=1&qnaes={B043EDE5-0C4D-4AAC-A85F-6083F8EFF1CF}
302 Found to http://64.111.208.122/click.php?c=c3fe4046bef70c09d404&r=1&d=B043EDE50C4D4AACA85F6083F8EFF1CF
GET http://64.111.208.122/click.php?c=c3fe4046bef70c09d404&r=1&d=B043EDE50C4D4AACA85F6083F8EFF1CF
302 Found to /dclick.php?c=0855c9e17bd60d2c196b&r=1
GET http://64.111.208.122/dclick.php?c=0855c9e17bd60d2c196b&r=1
302 Found to http://66.250.74.152/click.php?go=aHR0cDovLzY3LjI5LjEzOS4yMjAvY2xpY2svP2FmZmlsaWF0ZT1TUzIyJnN1YmlkPTE5MzZfMTYxNSZUZXJtcz10b21hdG8lMjBzZWVkcyZzaWQ9WjAxODA0NTA1MEBFelgxRXpkM2QzWHlNek14Y2pNMUFET3dNak0yZ3pYNWdETjI4Vk81VVRPMFlETzNFVE0=&b=MC4xOTA=&aff=1936&subaff=1615&time=1178649599&searcher_ip=24.119.49.119&cnt=21843&qq=tomato+seeds&mode=&seid=czATgc4633g1Tpvi+H2xw7C/0UMC/RjUkek0QQaz&se=YWJjU2VhcmNoUA==&sid=39&pos=1
GET http://66.250.74.152/click.php?go=aHR0cDovLzY3LjI5LjEzOS4yMjAvY2xpY2svP2FmZmlsaWF0ZT1TUzIyJnN1YmlkPTE5MzZfMTYxNSZUZXJtcz10b21hdG8lMjBzZWVkcyZzaWQ9WjAxODA0NTA1MEBFelgxRXpkM2QzWHlNek14Y2pNMUFET3dNak0yZ3pYNWdETjI4Vk81VVRPMFlETzNFVE0=&b=MC4xOTA=&aff=1936&subaff=1615&time=1178649599&searcher_ip=24.119.49.119&cnt=21843&qq=tomato+seeds&mode=&seid=czATgc4633g1Tpvi+H2xw7C/0UMC/RjUkek0QQaz&se=YWJjU2VhcmNoUA==&sid=39&pos=1
302 Found to http://66.250.74.152/click_second_new3.php?go=aHR0cDovLzY3LjI5LjEzOS4yMjAvY2xpY2svP2FmZmlsaWF0ZT1TUzIyJnN1YmlkPTE5MzZfMTYxNSZUZXJtcz10b21hdG8lMjBzZWVkcyZzaWQ9WjAxODA0NTA1MEBFelgxRXpkM2QzWHlNek14Y2pNMUFET3dNak0yZ3pYNWdETjI4Vk81VVRPMFlETzNFVE0=&b=MC4xOTA=&aff=1936&subaff=1615&time=1178649599&searcher_ip=24.119.49.119&cnt=21843&qq=tomato+seeds&mode=&seid=czATgc4633g1Tpvi+H2xw7C/0UMC/RjUkek0QQaz&se=YWJjU2VhcmNoUA==&sid=39&pos=1&country=US
GET http://66.250.74.152/click_second_new3.php?go=aHR0cDovLzY3LjI5LjEzOS4yMjAvY2xpY2svP2FmZmlsaWF0ZT1TUzIyJnN1YmlkPTE5MzZfMTYxNSZUZXJtcz10b21hdG8lMjBzZWVkcyZzaWQ9WjAxODA0NTA1MEBFelgxRXpkM2QzWHlNek14Y2pNMUFET3dNak0yZ3pYNWdETjI4Vk81VVRPMFlETzNFVE0=&b=MC4xOTA=&aff=1936&subaff=1615&time=1178649599&searcher_ip=24.119.49.119&cnt=21843&qq=tomato+seeds&mode=&seid=czATgc4633g1Tpvi+H2xw7C/0UMC/RjUkek0QQaz&se=YWJjU2VhcmNoUA==&sid=39&pos=1&country=US
302 Found to http://67.29.139.220/click/?affiliate=SS22&subid=1936_1615&Terms=tomato%20seeds&sid=Z018045050@EzX1Ezd3d3XyMzMxcjM1ADOwMjM2gzX5gDN28VO5UTO0YDO3ETM
GET http://67.29.139.220/click/?affiliate=SS22&subid=1936_1615&Terms=tomato%20seeds&sid=Z018045050@EzX1Ezd3d3XyMzMxcjM1ADOwMjM2gzX5gDN28VO5UTO0YDO3ETM
200 OK
POST http://67.29.139.220/jump/?affiliate=ss22&subid=1936_1615&Terms=tomato%20seeds&e=
200 OK
#### This is the top position on abcsearch.com ####
GET http://samson-exotic-gardens.com/14.html
200 OK
In this redirect it appears they are using abcsearch.com.
They use spoofed referrers such as indaxis.info/search.php?q=term-used and many other similarly styled refs.