A network of thousands of computers which stole millions of dollars from advertisers by generating fake advert viewings has been discovered.British web analytics firm Spider.io claims the “Chameleon” botnet is made up of 120,000 home PCs and costs advertisers £3.9 million per month.
Spider.io said that Chameleon simulated clicks on adverts on over 200 sites.
The firm said the botnet was responsible for up to nine billion false ad views every month.
Websites that show display ad receive money when an ad is viewed, in what is called cost-per-impression advertising. It works by money being paid when an ad impression is viewed, and advertisers selling a product or a service pay the website owner a fixed amount each time their ad is viewed.
The ads are typically placed by advertising networks that act as middlemen – the network places the ad on the publisher’s site and the advertiser pays the network and the publisher.
Advertisers use clicks and mouse movements over ads as leading indicators of visitor intent – meaning that the users being shown ads are more likely to buy a product or sign up to a new service.
So if a malicious programme generates clicks or mouse traces, then advertisers will be encouraged to buy more ad space.
Spider.io said that about 95% of the hijacked machines were in the US.
“This particular botnet is being used to emulate human users surfing the web, mimicking normal browsing sessions and normal ad engagement,” said the firm’s chief executive Douglas de Jager.
“It is difficult to imagine why one would run this type of botnet across a cluster of 202 sites other than to commit display advertising fraud.
“Unfortunately, we can’t be sure precisely which of the financially motivated parties is behind this. It could perhaps even be a single person within one of the companies, unbeknownst to others at this company.”
He added that the company was able to spot the botnet thanks to a very specific behaviour of the infected computers.
“The bots subject host machines to heavy load, and the bots appear to crash and restart regularly,” he said.
“When a bot crashes the concurrent sessions end abruptly; upon restart the bot requests a new set of cookies. These crashes and idiosyncratic site-traversal patterns are just two of the many bot features that provide for a distinctive bot signature.”
“Advertising networks – not the advertisers themselves – need to work harder at identifying the difference between a genuine user clicking on an ad, and a compromise computer that has been turned into a click-fraud bot.”