Click Forensics: Bahama botnet stealing traffic from Google

Compromised machines take users to a fake Google page hosted in Canada, where search "results" are masked cost-per-click ads

The Bahama botnet, a sophisticated network of compromised computers that is wreaking click-fraud havoc among advertisers, is also snatching away Web traffic and revenue right from under the nose of mighty Google, Click Forensics said Thursday.

As part of its design, the Bahama botnet not only turns ordinary, legitimate PCs into click-fraud perpetrators that dilute the effectiveness of ad campaigns. It also modifies the way these PCs locate certain Web sites through a malicious practice called DNS poisoning.

In the case of, compromised machines take their users to a fake page hosted in Canada that looks just like the real Google page and even returns results for queries entered into its search box.

It's not clear where the Canadian server gets these results. What is evident is that the results aren't "organic" direct links to their destinations but are instead masked cost-per-click (CPC) ads that get routed through other ad networks or parked domains, some of which are in on the scam and some of which aren't.

Sometimes the click takes the user to the advertiser's Web site and sometimes it takes him elsewhere, Matt Graham, a Click Forensics risk analyst, said in an interview.

"Regardless, CPC fees are generated, advertisers pay, and click fraud has occurred," Click Forensics reported on Thursday in a blog posting.

As a result, a user who intended to run a legitimate search on Google ends up unknowingly involved in a click-fraud scam in which Google also loses Web traffic and ad revenue. Google isn't the only provider of CPC ads being affected.

In this way, the Bahama botnet is creating a twisted Robin Hood-type situation by robbing traffic from major ad providers and routing it to smaller players.

"We are investigating and monitoring this issue just as we investigate and monitor many other botnets and schemes every day," a Google spokeswoman said via e-mail.

This novel blend of DNS-routing redirection and click fraud is an emerging trend among scammers. "As click fraud gets more sophisticated, DNS poisoning is going to be key to how click fraudsters make money," Graham said.

Click fraud usually affects marketers running CPC ad campaigns on search engines and Web sites. When a person or a computer clicks on a CPC ad with malicious intent or by mistake, that is considered click fraud.

However, if the ad provider, whether it be Google, Yahoo, Microsoft or another vendor, doesn't detect the click as fraudulent, it still gets to charge the advertiser for the click.

Thus, in this case, the Bahama botnet is affecting both parties -- the advertisers and the ad providers as well.

In some cases, however, the click doesn't register with the ad network, so the advertiser gets the click and the resulting traffic free, Graham said.

"One of the sophisticated traits of this piece of malware is that it limits the number of ads a single visitor can click on," Graham said, adding that it does this to prevent that particular computer from becoming suspicious to click-fraud filters. "If you do too much clicking, it will stop sending you through ad networks."

The motivations behind click fraud are varied. For example, in order to harm rival companies, a competitor may click on their CPC ads, knowing that they are having to pay for clicks that will not generate them any business.

Another click-fraud driver is the desire of Web publishers to increase their commissions on CPC ads by clicking on them, thus making the clicks empty of value because they're not being made by prospective customers. This scenario is likely behind the Bahama botnet, whose existence Click Forensics disclosed last month.

According to Click Forensics, which sells services to monitor ad campaigns for click fraud, the Bahama botnet is architected in such a way that allows it to dupe the most sophisticated traffic filters set up by search engines, Web publishers and ad networks.

This is because the botnet engages in certain tactics that make the rogue traffic it generates appear legitimate.

The botnet got its name from its initial routing of traffic through some 200,000 parked domains in the Bahamas. However, it now uses sites elsewhere in the world as well.

Botnets are networks of otherwise legitimate computers that have been secretly compromised with malware to perform a variety of malicious tasks.

In its worst-case scenario, the Bahama botnet has turned as much as 30 percent of an advertiser's CPC budget into click-fraud traffic, according to Click Forensics.

Join the CSO newsletter!

Error: Please check your email address.

Tags Click ForensicsGoogle

More about etworkGoogleMicrosoftYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Juan Carlos Perez

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place