'Hocus Pocus 2' Review Wi-Fi 6 Router With Built-In VPN Sleep Trackers Capital One Claim Deadline Watch Tesla AI Day Student Loan Forgiveness Best Meal Delivery Services Vitamins for Flu Season
Want CNET to notify you of price drops and the latest stories?
No, thank you

Chameleon botnet steals $6M per month in click fraud scam

More than 120,000 Windows-based computers running Internet Explorer 9 are infected in the U.S., researchers say.

Security researchers say they have identified a botnet that steals more than $6 million per month by generating fake customer clicks on online display ads.

Dubbed Chameleon, the botnet has infected more than 120,000 Windows-based computers in the U.S., mimicking human behavior on select Web sites to generate billions of ad impressions and fraudulent income for its creators, according to security firm Spider.io.

Click fraud costs Web advertisers in lost revenue by making them pay for illegitimate clicks. Spider.io reported that advertisers paid an average of 69 cents per one thousand impressions generated by the botnet. Researchers estimate Chameleon was responsible for two-thirds of the 14 billion ad impressions served by the 202 affected Web sites, nearly all of which are located in the U.S.

Researchers said all the bot browsers report themselves as being Internet Explorer 9.0 running on Windows 7. Chameleon accesses the Web through a Flash-enabled Trident-based browser that executes JavaScript.

"Each bot often masquerades as several concurrent website visitors, each visiting multiple pages across multiple websites," Spider.io reported, noting that the bot's heavy load on infected machines caused frequent crashes and restarts.

The crash causes sessions to end abruptly and, upon restart, the bot will request a new set of cookies. This provided a distinct signature pattern that allowed researchers to track the malware and compile a blacklist of 5,000 IP addresses associated with the worst botnet behavior.

The discovery of the Chameleon botnet comes a month after Microsoft and Symatec took down the Bamital botnet, which also costs Internet advertisers millions of dollars. While being more than 70 times more costly than Bamital, Chameleon is notable in that it is the first botnet to be impacting display advertisers at this scale.

"Spider.io has been tracking anomalous behaviour associated with Chameleon botnet since December, 2012, and in February of this year the extent of the Chameleon botnet's principal web-browsing activity was established," Spider.io said in its advisory. "This was achieved as part of spider.io's broader work with leading display ad exchanges and demand-side platforms to identify deviant consumption of display advertising media."