Categories: SecurityWorkspace

‘Chameleon’ Botnet Pilfers Millions From Advertisers

A sophisticated botnet has made its owners at least $6.2 million ($4.09m) by forcing infected machines to click on ads.

The Chameleon botnet consists of over 120,000 bots, which are running on infected Windows PCs, sucking up traffic by running sessions in the background, clicking on ads from 202 selected websites, said London-based Spider.io.

How it works

The tactic is not new. Other malware, such as the massively prevalent ZeroAccess, has exploited pay-per-click advertising, which sees website owners paid every time an ad is clicked on. Cyber crooks create malware that clicks on these ads, on websites they own, thereby making themselves plenty of money.

Criminals will become an affiliate of advertising networks such as  Google Adwords so they can ensure their sites will serve ads of significant marketers. It’s only the marketers who lose out, as they pay both the publisher and the tricksters without gaining any benefit.

Indeed, there is a chance Chameleon is not a new threat from the perspective of other AV vendors. It could be something like ZeroAccess, but with a different name. Spider.io had not responded to a request for comment at the time of publication.

Chameleon is still a sophisticated malicious network, however. Its niftiest trick is to avoid detection by carrying out actions designed to resemble a human user. Instead of just pummeling ads with clicks, the bots carry out non-profit making activities, as a normal user would, such as visiting non-target sites.

“Individual bots run Flash and execute JavaScript. Bots generate click traces indicative of normal users,” Spider.io wrote in a blog post.

“Bots also generate client-side events indicative of normal user engagement. They click on ad impressions with an average click-through rate of 0.02 percent; and they surprisingly generate mouse traces across 11 percent of ad impressions.”

You can see how dispersed clicks are from the following diagrams:

The bot browsers also report themselves to websites as being Internet Explorer 9.0 running on Windows 7.

“If they [the Chameleon operators] can generate a large number of clicks without the advertising network realising the clicks are fraudulent then there is potential to make a large amount of money. In many ways a botnet is ideal for generating a large number of clicks,” Graham Cluley, senior technology consultant at security firm Sophos, told TechWeekEurope.

“Hopefully the attention being given to the Chameleon botnet will wake some users up to the need to check their computers for infection, but it wouldn’t be a surprise to see even more clickfraud malware in the future.”

Are you a security pro? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

US Widening AI Lead Over China, Finds Stanford Report

US widening lead over China on AI development, as UK places third in Stanford index…

6 hours ago

Amazon To Pump Another $4bn Into AI Start-Up Anthropic

Amazon to invest a further $4bn into AI start-up Anthropic, doubling its investment as it…

6 hours ago

The Cost of Tech Skills

The demand for tech skills is surging, driving economic growth but revealing challenges. Financial costs,…

7 hours ago

Supreme Court Says Meta Must Face Multibillion-Dollar Fraud Lawsuit

US Supreme Court tosses Meta's appeal over Cambridge Analytica-linked investor lawsuit, meaning case must proceed

7 hours ago

Uber Seeks $10m Stake In Pony AI Via IPO

Uber reportedly seeks $10m stake in Chinese autonomous driving firm Pony AI via US IPO,…

7 hours ago

Apple Developing ‘LLM Siri’ AI For 2026

iPhone maker reportedly developing next-generation AI large language model for Siri for spring 2026 as…

8 hours ago