Surge in click fraud traced to Bahama Botnet

Thursday 17 September 2009 | By Heidi Scott, Gosh! Media Copywriter

If you think that the idea of a villain in another country controlling the computer in your home is mere fiction – perhaps an ideal story line for an episode of 'Dr Who' – you need to think again!

Web traffic management specialist Click Forensics has discovered that a recent surge in click fraud traffic is due to a botnet – that is, a network (net) of software robots (bots) that operate automatically. Dubbed the 'Bahama botnet' – due to the fact that, when initially detected, it redirected traffic through 200,000 parked domains in the Bahamas – the new botnet has eluded the filters of search engines, publishers and ad networks for some time.

As in the case last weekend, 12/13 September, involving ads on the New York Times digital site, scammers used fake anti-virus software to infect computers and then exploited the network of compromised PCs to distribute malware. In its blog today, Click Forensics explains how the New York Times scam worked:

"Visitors to the NYTimes.com site were greeted with a pop-up informing them their computer was infected and directed to an authentic-looking site where they could install a program called Personal Antivirus. Users duped into purchasing this phony software were then infected with a Trojan that gave control of their computer to an unknown third party that we now know to be part of a gang in the Ukraine."

As in the NYTimes.com scam, the Bahama botnet attackers tricked users into downloading malware by posing as the answer to the problem of their supposedly infected system. The anti-virus application was, however, a Trojan that would enable the scammers to take control of the users' PCs.

Researchers at Click Forensics believe that the same Ukrainian gang of cybercrooks – known as the Ukrainian fan club – was behind both scams. The company's blog explains, "We're pretty sure the Bahama botnet is related to the Ukrainian fan club and the NYTimes.com scareware because they each phone back to a bogus 'Windows protection' domain located on the same IP address."

According to Click Forensics, the Bahama botnet commits click fraud in various ways. Firstly, it generates paid clicks by taking users' organic search and transforming it into paid clicks. Secondly, the botnet uses its network of infected PCs to auto-generate paid clicks without the need for human intervention.

"This scheme is one of the most sophisticated we've seen," said Paul Pellman, CEO of Click Forensics, in a statement today. "The botnet is effectively disguising the fraud it produces as 'good traffic' by altering the interval and breadth of the attacks across legions of infected machines."

Although its 'Bahama botnet' name has stuck, the scam has since been reprogrammed, redirecting traffic through intermediate sites hosted in Amsterdam, the UK and San Jose, California.

What has made the botnet so difficult to discover is that it operates intermittently, so users don't really realise that something is wrong. In addition, it can work independently of the user because the authors have built a large database of authentically user-generated search queries. As the queries come from many different IPs and a broad cross-section of the Internet population, it is extremely difficult to identify the clicks as fraudulent.

However, the auto-generated clicks were not sufficiently well disguised to evade detection by Click Forensics' anomaly detection algorithms. The company explains, "Additionally, large amounts of non-converting clicks were spotted in the data we receive from advertisers. From there, our team was able to hone in on the source of the Bahama botnet."

Click Forensics claims to have approached security vendors – including Symantec and McAfee – for help to remove the malware and is also co-operating with ad networks, search engines, advertisers and online publishers to identify traffic from the botnet.

Back to industry news