“Chameleon” First Botnet Tied to Online Display Ad Fraud
A botnet – stemming from the words robot and network – is a collection of web-connected software applications or “bots” running on infected computers that perform automated and coordinated tasks and are normally commanded by a central bot master. Bots have historically been used to perform routine tasks repeated at very high throughputs. This is one of the reasons why cybercriminals have leveraged bots for malicious purposes like spamming, denial of service attacks, phishing and now online display advertising click-fraud. Bots can be distributed via drive-by downloads, exploits and phishing schemes just to name a few. Modules are installed that allow bot masters to command and control the infected host machines. Detecting bots is difficult even for anti-virus software.
According to Spider.io, which has been observing anomalous traffic patterns since December of 2012 with the help of several media technology companies, the Chameleon is a first of its kind in that it targets online display advertisements instead of text-based ads. Spider.io also reports the following:
- The Chameleon botnet emulated human visitors on at least 202 websites and generated billions of fraudulent display ad impressions.
- The 6 million plus dollars per month siphoned by the botnet from online advertisers was estimated as being 70 times more costly than the Bamital botnet.
- Over 120,000 bots have been identified on machines running Microsoft Windows and were seemingly located in the U.S.
- Advertisers paid for ad impressions served to the botnet at an average cost-per-thousand (CPM) of $0.69.
- Additional details can be found on the official Spider.io report.
The fact that Chameleon mimicked real humans is both fascinating and alarming. It avoided drawing attention to itself by generating human-like click traces instead of merely sending page requests. It used a Flash-based browser capable of executing Javascript but reports itself as being Internet Explorer 9.0 running on Windows 7. Seems sophisticated individually, but taken as a whole, the traffic generated by the botnet was highly homogenous since the distribution of clicks and mouse movements was unnaturally uniform. Aside from the click patterns, it was observed that the Chameleon bots subjected their host machine to heavy data loads that caused the system to crash and restart frequently. Upon restarting the bots requested new sets of cookies to remove traces of prior activities.
Clearly, the motive behind the creation of the Chameleon botnet was financial in nature. Publishers receive an estimated 55% to 65% of the money spent by advertisers. While ad networks receive about 30% of the media buys. The buying and selling of online display ad impressions are typically facilitated by ad exchanges in real-time. Most of the brands affected by Chameleon botnet used this type of automated platform.
Spider.io even raised suspicions about who’s behind the Chameleon botnet and urged the owners of some of the most targeted websites to step forward and disclose their traffic sources for the benefit of the online display ad industry. Whether or not ad networks are responsible for the botnet is still uncertain. What is certain is how much money the Chameleon botnet has cost online advertisers. They are the real victims here and the decision to invest in online display advertising does not come easy as it is.
Advertisers must choose between facilitating media buys in-house and outsourcing to a marketer or agency. Then when it comes time for the actual display ad buy whoever facilitates it is presented with an overwhelming amount of options that can include working with ad networks, demand side platforms, ad exchanges, analytics firms, in addition to video- and mobile-only platforms. Plus, every week it seems like a new acquisition or merger is announced within the ad industry. When this is so frequent, credibility is lost and a clear path becomes hazy. Advertisers should focus on finding display ad technology partners that offer a high quality and brand safe inventory of websites. Brand safety should be the most important requirement.
