Categories: SecurityWorkspace

‘Chameleon’ Botnet Pilfers Millions From Advertisers

A sophisticated botnet has made its owners at least $6.2 million ($4.09m) by forcing infected machines to click on ads.

The Chameleon botnet consists of over 120,000 bots, which are running on infected Windows PCs, sucking up traffic by running sessions in the background, clicking on ads from 202 selected websites, said London-based Spider.io.

How it works

The tactic is not new. Other malware, such as the massively prevalent ZeroAccess, has exploited pay-per-click advertising, which sees website owners paid every time an ad is clicked on. Cyber crooks create malware that clicks on these ads, on websites they own, thereby making themselves plenty of money.

Criminals will become an affiliate of advertising networks such as  Google Adwords so they can ensure their sites will serve ads of significant marketers. It’s only the marketers who lose out, as they pay both the publisher and the tricksters without gaining any benefit.

Indeed, there is a chance Chameleon is not a new threat from the perspective of other AV vendors. It could be something like ZeroAccess, but with a different name. Spider.io had not responded to a request for comment at the time of publication.

Chameleon is still a sophisticated malicious network, however. Its niftiest trick is to avoid detection by carrying out actions designed to resemble a human user. Instead of just pummeling ads with clicks, the bots carry out non-profit making activities, as a normal user would, such as visiting non-target sites.

“Individual bots run Flash and execute JavaScript. Bots generate click traces indicative of normal users,” Spider.io wrote in a blog post.

“Bots also generate client-side events indicative of normal user engagement. They click on ad impressions with an average click-through rate of 0.02 percent; and they surprisingly generate mouse traces across 11 percent of ad impressions.”

You can see how dispersed clicks are from the following diagrams:

The bot browsers also report themselves to websites as being Internet Explorer 9.0 running on Windows 7.

“If they [the Chameleon operators] can generate a large number of clicks without the advertising network realising the clicks are fraudulent then there is potential to make a large amount of money. In many ways a botnet is ideal for generating a large number of clicks,” Graham Cluley, senior technology consultant at security firm Sophos, told TechWeekEurope.

“Hopefully the attention being given to the Chameleon botnet will wake some users up to the need to check their computers for infection, but it wouldn’t be a surprise to see even more clickfraud malware in the future.”

Are you a security pro? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago