September 18th, 2009

'Bahama' botnet linked to click-fraud surge

Posted by Ryan Naraine @ 11:04 am

Categories: Anti Virus, Arbitrary Code Execution, Botnets, Browsers, Complex Attacks, Data theft, Exploit code, Phishing, Spam and Phishing, Spyware and Adware

Tags: Advertisement, Search Engine, Click Fraud, Search, Ryan Naraine

Researchers at Click Forensics have stumbled upon a click-fraud botnet using a series of sophisticated redirection tricks to cheat search engine filters.

The cluster of hijacked computers, called the “Bahama botnet” because it was redirecting traffic through hundreds of thousands of parked domains in the Bahamas, has also been linked to the spike in scareware attacks, including the recent advertising server attack against the New York Times.

Here’s the explanation from Click Forensics researchers:

Clicks on organic search results are redirected through a series of parked domains across a number of top-tier ad providers (search engines and ad networks), eventually arriving at an advertiser unrelated to the original query.  The user is momentarily confused, but likely just performs the search again, this time with easy success.

What makes the botnet so insidious is that it operates intermittently so that the user doesn’t really know that anything is wrong.  Additionally, it can operate independently of the user because the authors appear to be building a large database of authentically user-generated search queries.  And because the queries come from many different machines (IPs) across a broad segment of the Internet population, it is very difficult to find and identify these clicks as fraudulent.  But these auto-generated clicks were not able to disguise themselves well enough to escape Click Forensics anomaly detection algorithms.  Additionally, large amounts of non-converting clicks were spotted in the data we receive from advertisers.  From there, our team was able to hone in on the source of the Bahama botnet.

This video shows the botnet in action: