Google loses out to Bahama botnet

Thursday 08 October 2009 | By Heidi Scott, Gosh! Media Copywriter

Click Forensics, the Internet traffic quality management company, has revealed in its blog this week that the Bahama botnet can claim web giant Google among its many victims. As well as cheating on-line advertisers out of free traffic and generating fraudulent paid clicks, ad providers are also suffering at the hands of the scammers, believed to be Ukrainian.

Click Forensics explains in its blog of 8 October, "We have conducted additional research into the behavior of the Bahama botnet and found that it acts as a sort of perverted 'Robin Hood' among ad networks by robbing ad revenue from the top-tier players and delivering fraudulent traffic to second and third-tier ad networks and publishers. Chief among the ad provider victims is the one with the biggest treasure to take: Google."

As demonstrated below, when users of infected PCs search on Google.com, they can receive strange results. The reason for this is that – although the page looks like Google.com and even says 'Google.com' in the browser's address bar – the user is not actually on Google.com at all. How can this be? Well, the answer is that the scammers are perpetrating what's known as 'DNS poisoning'.

Bahama Botnet Video

All computers using the Internet identify themselves with a set of numbers – IP addresses – which allow computers to find one another. While computers, bless them, like the simplicity of numbers, humans are quite different and find words much easier to remember. Hence the Domain Name System (DNS) was invented ¬– by forgetful humans – in order to translate these long strings of numbers into more memorable names. When a user types 'Google.com' into a browser, the PC translates this domain name into a number – in this case, 74.125.155.99. The naughty Bahama Botnet, however, interferes with this DNS translation, causing the infected computer to mistranslate a domain name. Therefore, instead of translating 'Google.com' as 74.125.155.99, the compromised PC will translate it as 64.86.17.56 – a computer that is nothing to do with Google whatsoever and is, in fact, located in Canada.

Click Forensics explains, "When a user with an infected machine performs a search on what they think is Google.com, the query actually goes to the Canadian computer, which pulls real search results directly from Google, fiddles with them a bit, and displays them to the searcher. Now the searcher is looking at a page that looks exactly like the Google search results page, but it's not. A click on the apparently 'organic' results will redirect as a paid click through several ad networks or parked domains – some complicit, some not. Regardless, cost per click (CPC) fees are generated, advertisers pay, and click fraud has occurred."

An interesting facet of the Bahama Botnet is that, although the scammers turn organic search listings into paid links, they don't bother to change the final destination domains of the sponsored links in the search results. This means that when an infected user clicks on one of these sponsored links, they arrive at the correct destination domain but – due to the DNS poisoning – such clicks do not go through Google's own click-counting redirect. Thus, Google does not see – and so cannot charge for – these poisoned clicks. The scammers are indeed playing Robin Hood, giving the advertiser a free click, when it should have been paid for, and losing Google its rightful revenue.

Back to industry news