Botnets For Click Fraud

If you’re an advertiser with the search engines, it’s bad enough that people click on your ads with no intention of buying anything. Worse, they may do this for money or to drain your advertising budget. This is click fraud. And it’s not just humans doing it anymore.

"All Warfare is based on Deception."

— Sun Tzu’s Art of War

Click Fraud

"Mesotheliomia" is not a location in Transylvania. It is a rare form of cancer caused by asbestos. What does that have to do with SEO? Well, certain professionals like lawyers are very interested in optimizing their sites for such a key word to get the eyeballs of potential customers. Since organic optimization is an intensive process, however, most litigation lawyers (drooling at the thought of a cut of a massive settlement) will simply bid as high as ten to fifteen dollars per click on pay-per-click networks.

Such a highly competitive key word can attract unscrupulous webmasters to begin clicking on their own ads (or unscrupulous litigators clicking on their competition’s ads so as to drive their ad accounts dry). Here we have a basic form of click fraud, fraught with chances of discovery by advertisers or Google itself, with a limited amount of money that can possibly be earned. After all, how many times can you possibly click on your own ads, and how many people can you hire to click on them for you? It makes sense for perpetrators of click fraud to think that "it has to be easier than this."


Enter zombie computers and bot networks. After years (an eternity in Internet times) of using zombie computers to send spam emails to email addresses, spammers and botmasters have zombie computers which they control remotely without any awareness from the users. Now they’ve started turning their bots and zombie computers from schemes like denial of service, trust fraud, and spamming to another fraudulent venture, click fraud.

{mospagebreak title=Botnets For Hire}

Despite Google’s assertions otherwise, most projections of the percentage of click fraud incidences are pretty honest. Though they are just "projections," what all the projections do agree on is this: no one can really knows the extent of click fraud, but it could be more than the ten to fifteen percent; it could be as high as twenty percent, and it could be as low as the nine percent "detected invalid click rate" that Google’s Shuman Ghosemajumdar presented to bloggers and search analysts on December 2006.

Real  fraud is never discovered (once discovered, it is no longer effective). Click fraudsters would pay anything not to be discovered, and hence continue in their activities. Botmasters are willing to rent out several hundred machines to click fraud networks. Estimates so far from Georgia Tech College of Computing, which conducts extensive research in viruses, malware and bots in computing say as much as seven percent (ten million to twelve million PCs) of the computers connected to the Internet are unwitting zombie computers, and a few hundred thousand are added every week. 

Fully automated spam is a more lucrative (or more widespread) business than automated click fraud. Reported cases of zombie computers have them sending spam. Georgia Tech and a few other security experts, however, noted increased cases of bots being used for click fraud. They have tracked the means of propagation and even in some cases discovered the botmaster’s URL; see here and here.

Threatening the Foundation of the Internet

Pay per click is the biggest form of online advertising currently. Money spent on online advertising is going to more than triple in the next four years (according to forecasts by Piper Jaffray). The bad press on click fraud initially came from the print press, leading to speculation that it was simply an attack from a dying media (print) on a new and vibrant one (the Internet). While that is possible, it is by far an exaggeration. Print media is adapting, and so is television and radio. Google is still moaning about bad press, but most of the reporting on click fraud now is from web-based news sites, who are again purported to have a vested interest.

The reason the search engines (and publishers too!) are downplaying the click fraud issue is because it could destroy the whole basis of Internet advertising as we know it. The chain of interests that would love for the "click fraud" problem to continue is long: Internet publishers, venture capitalist companies who invest in these web sites, the search engines, and others.

The problem could very well be minor for all we know, but if the number of black hats on the Internet is anything to go by, the problem will increase and become more obvious as time goes on and online advertising revenue increases. We could see incidences and reactions to click fraud becoming as bad as current incidences and reactions to spam.

{mospagebreak title=How the Bots Work}

Let’s see how these bots perpetrate click fraud, how they are propagated, who is fighting them and what the projections are. Computers become bots when they pick up viruses or malicious software built by programmers to turn the PCs they infect into zombies. According to Symantec, two out of every ten viruses are rigged to turn PCs into zombie PCs. They are mostly spread using email or by the bots crawling the net looking for lapses in the Windows security system. Symantec also projects that more malicious code will be hidden in multimedia file formats in future incidences of virus propagation.

KMeth, Propagation and Operation

One of the bots (KMeth) that was specifically used for click fraud is spread via instant messaging (it was the bot responsible for the mesotheliomia discovered by Face time security). It exploits vulnerabilities on Internet Explorer to infect surfers and promotes itself through instant messages sent to the Yahoo! Messenger contacts of users that are affected by the bot. It posts messages to all users with links that, if opened, infect the computer of other users who click on it. Visitors to the site get their PCs infected.

Like all good malware, it imposes a new home page which points to fraudulent MFA sites. It also goes a step further to reduce its detectability level by employing various social engineering techniques. Apart from clicking on ads and banners the bot simply drives traffic to sites, not clicking on the ads but allowing the humans to decide what to do. This beats the search engine’s first level of detection, which is an automated screening process which filters out known fraudsters (human or robotic).

KMeth is primarily designed to defeat the next two (three for Google) levels of security of the search engines by spreading the clicks over a large network (a thousand computers is the smallest network a bot master will rent out) and by doing it over a period of time. Human statisticians and the advertiser’s that keep an eye out for irregularities in the clicks will be hard pressed to find and plug the "leaks" which exist.


In May 2006 PandaLabs detected ClickbotA, running on at least 34,000 zombie computers. ClickbotA is used exclusively for click fraud. The bots are controlled remotely from several web servers. The "perps" can define the number of clicks for specified "zombies" in order not to arouse suspicion, and can direct the bots to specific web sites.

The ClickbotA bot initializes itself by launching a dynamic link library and then later deletes its executable file. Once it initializes, it updates the botmaster’s database and can even be updated itself. It also requests links to click on after checking that it has received authorization to do so. Luis Corrons (Director of PandaLabs) notes that PandaLabs detects unknown threats by complementing standard antivirus products with their TruPrevent technology, which has detected 46,000 examples of new malware since it was first released in 2004.

{mospagebreak title=A Few Good Men}

The SANS Institute discovered another botnet (along with the fraudulent URLs), which they reported to Google. This one has a smaller network of computers, ranging from 115 to a few hundred computers, with each system punching in around fifteen clicks each. Obviously Google is taking the problem seriously, and according to them they have "secret" protocols which filter and plug fraudulent clicks.

Search engines and click fraudsters play a deadly arms race of Google detecting and the fraudsters improving their techniques. The development of botnets, however,  is one which will be fought by not only the search engines, but by other parties who have vested interests in high levels of PC security. Standalone and network PC security involves companies like Symantec, Grisoft and MacAfee. Browsers also are not left out of this, as these bots take advantage of flaws in browsers and operating systems. An OS or browser that can prove it offers a marked advantage in terms of security will have a competitive advantage over any other.

Other organizations that are willing to take extra time to fight click fraud include Clickhaus. Inspired by Spamhaus, the spam reporting center, Clickhaus aims to be a proactive step towards click fraud reporting, and will provide a service giving IT professionals, advertisers and search engines the ability to report instances of click fraud, which will then be reported via a database. The organization is based in the United Kingdom.

Breaking the PPC Model

Right now search engines like Snap and Turn  are working with a model where organic and paid listings are blended together in a way that is indistinguishable to the searcher. The sites currently use a CPA (cost per action) model. This model is guaranteed to reduce earnings, and has its own faults by way of security, however it does offer an alternative to PPC programs.

I actually believe that PPC should not be thrown out altogether, but alternative models should be provided to advertisers. A lot of advertisers, however, do the "throw dollars at PPC and go get a donut" strategy for their ad campaigns, and have no specific system for optimizing their sites landing pages for maximum conversion. Many times I click on seemingly relevant PPC ads, and I wonder exactly what the web site owner wants me to do when I get to the landing page. Nonetheless, they do not deserve to get their hard earned money thrown away via bad clicks; they should lose money honestly, via bad landing pages (that’s a joke). As for paid search engines, they have to fight this war against man or machine. Let’s hope they win, because right now it’s not looking good. 

[gp-comments width="770" linklove="off" ]