May 28th, 2008

Botnets committing click fraud observed

Posted by Dancho Danchev @ 4:11 pm

Categories: Black Hat, Botnets, Viruses and Worms

Tags: Click Fraud, AdSense, Malware, Underground Market, Online Media, Advertising, PPC, Traffic Exchange, Dancho Danchev

What’s the current state of click fraud, and what tools and tactics do the people behind click fraud campaigns have in their arsenal? A recently analyzed affiliate based network for using botnets to commit click fraud provides a timely assessment of the situation, and provides evidential facts on the internal success rate of such a consolidated botnet. Let’s start with the current state of click fraud.

Is click fraud increasing or decreasing? According to ClickForensics, the click fraud rate has declined with 1& for Q1 of 2008, it still remains active at 27.8% for pay-per-click advertisements, with AdSense PPC model dominating the market. From their latest press release - “Click Fraud Rate Drops to 16.3 Percent; Click Fraud Rate for Content NetworksLowers to 27.8 Percent”

- The overall industry average click fraud rate was 16.3 percent for Q1 2008. That’s down slightly from the 16.6 percent rate reported for Q4 2007 and up from the 14.8 percent click fraud rate reported for Q1 2007.
- The average click fraud rate of PPC advertisements appearing on search engine content networks, including Google AdSense and the Yahoo Publisher Network, was 27.8 percent. That’s down from the 28.3 percent rate reported for Q4 2007 and up from the 21.9 percent average click fraud rate reported for Q1 2007.
- Q1 2008 click fraud traffic from botnets was 8 percent higher than click fraud traffic from botnets in Q4 2007.
- In Q1 2008, the greatest percentage of click fraud originating from countries outside North America came from Monaco (3.1 percent), Ghana (3.1 percent), and New Caledonia (2.4 percent).

As you can seen in Q1 of 2008, the click fraud traffic from botnets increased 8%, which from the perspective that I’ll provide in the context of a sample output of such a botnet, will further verify this statement given the size of what looks like several botnets consolidated into a single one while participating in an affiliation based program. Take a look at the following statistics distributed by the underground affiliate network to showcase the recent activity of its participants.

1,264,204 bots that did 3,095,194 searches and 537,764 clicks made a total revenue of $5, 495, which when deducting percentage for the affiliate coordinating the campaigns, ends up with a profit of $3,605 -  this is a great example of greedy affiliate managers taking high commissions. The entire process of connecting owners of botnets who would only dedicate a single process for the click fraud, in between the rest of the malicious activities they’d be participating in between, is made possible through web traffic exchanges, like this one covered by Brian Krebs earlier this month :

Anyone who doubts that Internet click fraud has become a big money maker should take a look at a Russian Web site called Robotraff.com, which bills itself as “the first stock exchange of Web traffic.” Set up a free account at Robotraff and you’re ready to buy or sell Web traffic. Got 30,000 hacked personal computers under your thumb? Super! Now you can use those systems to generate a steady income just by pointing them at Web sites requested by a buyer. Or maybe you’re just getting started and you can’t be bothered to build your own army of hacked PCs the old-fashioned way? No problem! Now you can set up a Web site that tries to exploit Web browser or browser plug-in vulnerabilities and simply buy all the traffic you need.

Buying 100k of web site visitors, and having them redirected to a single URL, where a cocktail of exploits is set up by using the most popular web malware exploitation kits ( the Small Pack, Fire Pack, Mpack, Icepack, or the Nuclear Malware kit), is exactly what such traffic exchanges get abused for, of course, in between click fraud. With the underground market dynamically evolving towards a service based economy, the affiliation based market model on a revenue sharing basis is a business model that’s becoming largely anticipated by different parties as a perfect way to connect sellers and buyers, and of course, let the affiliate network cash-in by being the intermediary that connects them. What about the money trail in the whole scammy ecosystem, as well as the current level of sophistication of the so called clickbots? The Anatomy of Clickbot.A should be considered a recommended bed time reading.