Botnet simulated humans to siphon millions in click-fraud scam

A recently discovered click-fraud botnet was costing advertisers more than $6 million per month by simulating human activity in targeting display ads on a couple of hundred websites.

The so-called Chameleon botnet, discovered by site traffic analyzer, comprised more than 120,000 infected Windows PCs, nearly all with U.S. residential IP addresses. The operators targeted the same 202 sites, hijacking at least 65% of the traffic from ads.

The disclosure of Chameleon followed by about a month the takedown of the Bamital botnet, which had as many as 8 million compromised computers. Microsoft, working with Symantec, shut down the botnet responsible for such criminal activities as identity theft and click fraud. Microsoft has taken down six botnets in the last three years.

Click fraud is a major problem within the $12.7 billion online advertising industry. In its simplest forms, botnet operators generate fraudulent clicks through their own websites or partner with other site owners or ad networks.

While it isn't clear how Chameleon operators made their money, London-based said in a blog post that the botnet was 70 times more costly to advertisers than Bamital. was unavailable for comment Wednesday.

[Also see: Botnets for hire likely used in U.S. bank attacks]

DataXu, which sells enterprise-class marketing software, provided forensic data to Christian Carrillo, vice president of innovation at DataXu, said Chameleon was unusual among the botnets he had seen.

"I'm not aware of any other botnet that tries to impersonate human beings as a way to siphon off advertising dollars," Carrillo said.

Another atypical characteristic was its focus on display advertising, as opposed to text-link ads usually targeted by scammers, said.

The display ads on average paid the botnet operators 69 cents per 1,000 ad views. Out of the 14 billion ad views per month on the targeted sites, the botnet generated 9 billion of them, which amounted to $6.2 million per month charged to advertisers.

The Chameleon operators used a combination of Flash and Javascript in making site visits appear to be those of a human. Each computer in the network often masqueraded as several concurrent visitors, each browsing through multiple pages across many sites.

The activity generated a heavy load on the malware-infected PC, causing it to crash and restart regularly, said. This, along with the site-traversal pattern, created a distinctive signature. identified the botnet Feb. 28, but had been tracking abnormal behavior related to click traffic and later attributed to Chameleon since December 2012. Media6degrees, a marketing technology company, also assisted

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsMicrosoftlegalChameleonsoftwarebotnetdata protectioncybercrimeSpider.iosymantecData Protection | Malware

More about MicrosoftSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts