spider.io Discovers Chameleon Botnet Costing Display Advertisers over 6 Million Dollars per Month

Spider.io (www.spider.io), a London-based ad technology company, has recently reported the discovery of a new ad botnet, the Chameleon Botnet – that emulates human visitors on select websites, causing billions of display ad impressions to be served to the botnet.

The news come just after a similar discovery reported by Microsoft and Symantec, who worked together on taking down of the Bamital botnet, used to defraud PPC advertisers at scale. “[…]in the last two years, more than eight million computers have been attacked by Bamital, and that the botnet’s search hijacking and click fraud schemes affected many major search engines and browsers, including those offered by Microsoft, Yahoo and Google. Because this threat exploited the search and online advertising platform to harm innocent people, Microsoft and Symantec chose to take action against the Bamital botnet to help protect people and advance cloud security for everyone“, reads the official Microsoft blog ((http://blogs.technet.com/b/microsoft_blog/archive/2013/02/06/microsoft-and-symantec-take-down-bamital-botnet-that-hijacks-online-searches.aspx)). By comparison, the Chameleon botnet reported by Spider.io appears way more damaging, with a reported monthly cost to advertisers of at least $6.2 million.

How It Works?
The Chameleon botnet works with individual bots running Flash and executing JavaScript, identifying themselves as coming from IE 9 on Windows 7 machines. They then try to replicate real, human behavior, generating clicks and even mimicking user engagement. The complex bot, unlike the more rudimentary ones, is careful to not trigger high CTR flags and sticks to the an average CTR of 0.02%. Furthermore, it is able to even generate mouse traces, thus making its identification more difficult.

Where’s the Bot?
More than 120,000 machines are reportedly infected with the Chameleon botnet, of which a massive 95% go online through residential U.S. IP addresses. According to the heat map provided by Spider.io ((http://www.spider.io/wp-content/uploads/2013/03/infections600.png)), infected machines reside mostly on the West Coast and the South of the United States.

Where’s the Damage?
Spider.io observed the Chameleon botnet active within a cluster of 202 websites or more, websites serving 14 billion ad impressions per month of which at least 9 billion were associated with the Chameleon botnet. To aggravate matters further, at least 7 million distinct ad exchange cookies are associated with the Chameleon botnet every month, with advertisers losing $0.69 CPM for ad impressions faked by the botnet.

Who’s Behind the Bot?
Long story short, we don’t quite know. What’s suspicious, to put it this way, is that the bot appears to be revolving around the 202 websites mentioned above, so one could speculate that it’s either the publishers themselves or the ad networks and exchanges they’re employing. Spider.io did not name any of these publishers (although a quick search will put you on the right track) and did not comment yet as to who might be on the list of suspects.

To find out more, see Spider.io’s initial report of the Chameleon botnet, here: http://www.spider.io/blog/2013/03/chameleon-botnet/