Botnet steals 'millions of dollars from advertisers' Published duration 20 March 2013

image caption Many sites are selling access to corporate networks for only a few pounds

A network of thousands of computers stealing millions of dollars from advertisers by generating fake advert viewings has been discovered.

British web analytics firm Spider.io claims the "Chameleon" botnet is made up of 120,000 home PCs and costs advertisers $6m (£3.9m) per month.

Spider.io said that Chameleon simulated clicks on adverts on over 200 sites.

The firm said the botnet was responsible for up to nine billion false ad views every month.

Websites that show display ad receive money when an ad is viewed, in what is called cost-per-impression advertising. It works by money being paid when an ad impression is viewed, and advertisers selling a product or a service pay the website owner a fixed amount each time their ad is viewed.

The ads are typically placed by advertising networks that act as middlemen - the network places the ad on the publisher's site and the advertiser pays the network and the publisher.

Specific behaviour

Advertisers use clicks and mouse movements over ads as leading indicators of visitor intent - meaning that the users being shown ads are more likely to buy a product or sign up to a new service.

So if a malicious programme generates clicks or mouse traces, then advertisers will be encouraged to buy more ad space.

Spider.io said that about 95% of the hijacked machines were in the US.

"This particular botnet is being used to emulate human users surfing the web, mimicking normal browsing sessions and normal ad engagement," said the firm's chief executive Douglas de Jager.

"It is difficult to imagine why one would run this type of botnet across a cluster of 202 sites other than to commit display advertising fraud.

"Unfortunately, we can't be sure precisely which of the financially motivated parties is behind this. It could perhaps even be a single person within one of the companies, unbeknownst to others at this company."

He added that the company was able to spot the botnet thanks to a very specific behaviour of the infected computers.

"The bots subject host machines to heavy load, and the bots appear to crash and restart regularly," he said.

"When a bot crashes the concurrent sessions end abruptly; upon restart the bot requests a new set of cookies. These crashes and idiosyncratic site-traversal patterns are just two of the many bot features that provide for a distinctive bot signature."

Mimicking humans

Graham Cluley, a computer security expert from net security company Sophos, told the BBC that there were ways for computer owners to protect their machines from this type of fraud - for instance, by using up-to-date anti-virus software.

"The good news is that Chameleon is said to be quite unstable, and causes regular crashes and computer slowdown - something which might alert users to there being a problem with their PC."

He added that since Chameleon mimics human clicks, it is tricky for advertisers to easily spot the botnet.

"It makes the click look more human by randomly moving the cursor and the place where the mouse clicks, and pretending to be Internet Explorer 9.0 running on Windows 7.

"Advertising networks - not the advertisers themselves - need to work harder at identifying the difference between a genuine user clicking on an ad, and a compromise computer that has been turned into a click-fraud bot.