Click fraud botnet costs advertisers £3.9m a month

Security researchers find a botnet costing online display advertising £3.9m a month by simulating 14 billion clicks on at least 200 websites

Security researchers have discovered a botnet estimated to be costing online display advertising around £3.9m a month by simulating up to 14 billion clicks on at least 200 websites.

It is unclear who is behind the botnet, dubbed "Chameleon", but the discovery highlights widespread fraud in which simulated clicks generate money for sites and ad networks, said the Guardian.

Click fraud abuses pay-per-click (PPC) advertising to make money through fake or fraudulent clicks on ads. PPC advertising generates billions of dollars revenue each year and is operated by large networks such as Google Adwords, Yahoo Search Marketing and Microsoft adCenter.

According to UK web security analytics firm, the botnet consists of at least 120,000 hijacked PCs running the Windows operating system (OS), 95% of them located in the US.

The financial beneficiaries of click fraud are the website owners, who typically get 55% to 65% of the money paid by advertisers to display ads; and ad networks, which typically get 30% of ad revenue.

Read more on click fraud

But Douglas de Jager, CEO of has declined to name any of the publishers being targeted by the botnet because they might be the targets of a scam run from outside or a single rogue employee. has been tracking since December 2012 anomalous behaviour associated with Chameleon, which researchers said is a sophisticated botnet that has largely evaded detection by advertisers.

The researcher found that individual bots run Adobe Flash and execute JavaScript to generate click traces indicative of normal users. The bots also generate client-side events indicative of normal user engagement.

The bots, which look like Internet Explorer 9.0 running on Windows 7, click on ad impressions with an average click-through rate of 0.02%; and generate mouse traces across 11% of ad impressions.

However, researchers found the bots only visit 202 websites and crash occasionally. They also generate clicks randomly dispersed around the page, unlike human visitors.

These characteristics are the strongest indicators that the botnet is designed to commit click fraud.

According to Graham Cluley, senior technology consultant at security firm Sophos, advertising networks are best placed to combat click fraud.

“Advertising networks – not the advertisers themselves – need to work harder at identifying the difference between a genuine user clicking on an ad, and a compromise computer that has been turned into a click-fraud bot,” he told the BBC.

Read more on Hackers and cybercrime prevention