Botnet simulated humans to siphon millions in click-fraud scam

A recently discovered click-fraud botnet was costing advertisers more than $6 million per month by simulating human activity in targeting display ads on a couple of hundred websites.

The so-called Chameleon botnet, discovered by site traffic analyzer Spider.io, comprised more than 120,000 infected Windows PCs, nearly all with U.S. residential IP addresses. The operators targeted the same 202 sites, hijacking at least 65% of the traffic from ads.

The disclosure of Chameleon followed by about a month the takedown of the Bamital botnet, which had as many as 8 million compromised computers. Microsoft, working with Symantec, shut down the botnet responsible for such criminal activities as identity theft and click fraud. Microsoft has taken down six botnets in the last three years.

Click fraud is a major problem within the $12.7 billion online advertising industry. In its simplest forms, botnet operators generate fraudulent clicks through their own websites or partner with other site owners or ad networks.

While it isn’t clear how Chameleon operators made their money, London-based Spider.io said in a blog post that the botnet was 70 times more costly to advertisers than Bamital. Spider.io was unavailable for comment Wednesday.

[Also see: Botnets for hire likely used in U.S. bank attacks]

DataXu, which sells enterprise-class marketing software, provided forensic data to Spider.io. Christian Carrillo, vice president of innovation at DataXu, said Chameleon was unusual among the botnets he had seen.

“I’m not aware of any other botnet that tries to impersonate human beings as a way to siphon off advertising dollars,” Carrillo said.

Another atypical characteristic was its focus on display advertising, as opposed to text-link ads usually targeted by scammers, Spider.io said.

The display ads on average paid the botnet operators 69 cents per 1,000 ad views. Out of the 14 billion ad views per month on the targeted sites, the botnet generated 9 billion of them, which amounted to $6.2 million per month charged to advertisers.

The Chameleon operators used a combination of Flash and Javascript in making site visits appear to be those of a human. Each computer in the network often masqueraded as several concurrent visitors, each browsing through multiple pages across many sites.

The activity generated a heavy load on the malware-infected PC, causing it to crash and restart regularly, Spider.io said. This, along with the site-traversal pattern, created a distinctive signature.

Spider.io identified the botnet Feb. 28, but had been tracking abnormal behavior related to click traffic and later attributed to Chameleon since December 2012. Media6degrees, a marketing technology company, also assisted Spider.io.