Security researchers have discovered a botnet estimated to be costing online display advertising around £3.9m a month by simulating up to 14 billion clicks on at least 200 websites.
It is unclear who is behind the botnet, dubbed "Chameleon", but the discovery highlights widespread fraud in which simulated clicks generate money for sites and ad networks, said the Guardian.
Click fraud abuses pay-per-click (PPC) advertising to make money through fake or fraudulent clicks on ads. PPC advertising generates billions of dollars revenue each year and is operated by large networks such as Google Adwords, Yahoo Search Marketing and Microsoft adCenter.
According to UK web security analytics firm Spider.io, the botnet consists of at least 120,000 hijacked PCs running the Windows operating system (OS), 95% of them located in the US.
The financial beneficiaries of click fraud are the website owners, who typically get 55% to 65% of the money paid by advertisers to display ads; and ad networks, which typically get 30% of ad revenue.
Read more on click fraud
- Crafty click fraud Trojan uses left mouse click to evade detection
- “Click-for-tickets” fraud: Teaching users to sidestep Olympic scams
- FBI takes down DNS Changer botnet; aided $14 million click fraud scheme
- Symantec and Microsoft team up to take down botnet
- Microsoft cracks down on click fraud ring
- Security firm warns of Android mobile toll fraud in latest mobile malware report
- New Bahama botnet evades search engines, fuels click fraud
- Cyber criminals step up click theft from online advertisers
But Douglas de Jager, CEO of Spider.io has declined to name any of the publishers being targeted by the botnet because they might be the targets of a scam run from outside or a single rogue employee.
Spider.io has been tracking since December 2012 anomalous behaviour associated with Chameleon, which researchers said is a sophisticated botnet that has largely evaded detection by advertisers.
The bots, which look like Internet Explorer 9.0 running on Windows 7, click on ad impressions with an average click-through rate of 0.02%; and generate mouse traces across 11% of ad impressions.
However, researchers found the bots only visit 202 websites and crash occasionally. They also generate clicks randomly dispersed around the page, unlike human visitors.
These characteristics are the strongest indicators that the botnet is designed to commit click fraud.
According to Graham Cluley, senior technology consultant at security firm Sophos, advertising networks are best placed to combat click fraud.
“Advertising networks – not the advertisers themselves – need to work harder at identifying the difference between a genuine user clicking on an ad, and a compromise computer that has been turned into a click-fraud bot,” he told the BBC.