X

Chameleon botnet steals $6M per month in click fraud scam

More than 120,000 Windows-based computers running Internet Explorer 9 are infected in the U.S., researchers say.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read

Security researchers say they have identified a botnet that steals more than $6 million per month by generating fake customer clicks on online display ads.

Dubbed Chameleon, the botnet has infected more than 120,000 Windows-based computers in the U.S., mimicking human behavior on select Web sites to generate billions of ad impressions and fraudulent income for its creators, according to security firm Spider.io.

Click fraud costs Web advertisers in lost revenue by making them pay for illegitimate clicks. Spider.io reported that advertisers paid an average of 69 cents per one thousand impressions generated by the botnet. Researchers estimate Chameleon was responsible for two-thirds of the 14 billion ad impressions served by the 202 affected Web sites, nearly all of which are located in the U.S.

Researchers said all the bot browsers report themselves as being Internet Explorer 9.0 running on Windows 7. Chameleon accesses the Web through a Flash-enabled Trident-based browser that executes JavaScript.

"Each bot often masquerades as several concurrent website visitors, each visiting multiple pages across multiple websites," Spider.io reported, noting that the bot's heavy load on infected machines caused frequent crashes and restarts.

The crash causes sessions to end abruptly and, upon restart, the bot will request a new set of cookies. This provided a distinct signature pattern that allowed researchers to track the malware and compile a blacklist of 5,000 IP addresses associated with the worst botnet behavior.

The discovery of the Chameleon botnet comes a month after Microsoft and Symatec took down the Bamital botnet, which also costs Internet advertisers millions of dollars. While being more than 70 times more costly than Bamital, Chameleon is notable in that it is the first botnet to be impacting display advertisers at this scale.

"Spider.io has been tracking anomalous behaviour associated with Chameleon botnet since December, 2012, and in February of this year the extent of the Chameleon botnet's principal web-browsing activity was established," Spider.io said in its advisory. "This was achieved as part of spider.io's broader work with leading display ad exchanges and demand-side platforms to identify deviant consumption of display advertising media."