Click Forensics: Bahama botnet stealing traffic from Google

Compromised machines take users to a fake Google page hosted in Canada, where search "results" are masked cost-per-click ads

The Bahama botnet, a sophisticated network of compromised computers that is wreaking click-fraud havoc among advertisers, is also snatching away Web traffic and revenue right from under the nose of mighty Google, Click Forensics said Thursday.

As part of its design, the Bahama botnet not only turns ordinary, legitimate PCs into click-fraud perpetrators that dilute the effectiveness of ad campaigns. It also modifies the way these PCs locate certain Web sites through a malicious practice called DNS poisoning.

In the case of Google.com, compromised machines take their users to a fake page hosted in Canada that looks just like the real Google page and even returns results for queries entered into its search box.

It's not clear where the Canadian server gets these results. What is evident is that the results aren't "organic" direct links to their destinations but are instead masked cost-per-click (CPC) ads that get routed through other ad networks or parked domains, some of which are in on the scam and some of which aren't.

Sometimes the click takes the user to the advertiser's Web site and sometimes it takes him elsewhere, Matt Graham, a Click Forensics risk analyst, said in an interview.

"Regardless, CPC fees are generated, advertisers pay, and click fraud has occurred," Click Forensics reported on Thursday in a blog posting.

As a result, a user who intended to run a legitimate search on Google ends up unknowingly involved in a click-fraud scam in which Google also loses Web traffic and ad revenue. Google isn't the only provider of CPC ads being affected.

In this way, the Bahama botnet is creating a twisted Robin Hood-type situation by robbing traffic from major ad providers and routing it to smaller players.

This novel blend of DNS-routing redirection and click fraud is an emerging trend among scammers. "As click fraud gets more sophisticated, DNS poisoning is going to be key to how click fraudsters make money," Graham said.

Click fraud usually affects marketers running CPC ad campaigns on search engines and Web sites. When a person or a computer clicks on a CPC ad with malicious intent or by mistake, that is considered click fraud.

However, if the ad provider, whether it be Google, Yahoo, Microsoft or another vendor, doesn't detect the click as fraudulent, it still gets to charge the advertiser for the click.

Thus, in this case, the Bahama botnet is affecting both parties -- the advertisers and the ad providers as well.

In some cases, however, the click doesn't register with the ad network, so the advertiser gets the click and the resulting traffic free, Graham said.

"One of the sophisticated traits of this piece of malware is that it limits the number of ads a single visitor can click on," Graham said, adding that it does this to prevent that particular computer from becoming suspicious to click-fraud filters. "If you do too much clicking, it will stop sending you through ad networks."

The motivations behind click fraud are varied. For example, in order to harm rival companies, a competitor may click on their CPC ads, knowing that they are having to pay for clicks that will not generate them any business.

Another click-fraud driver is the desire of Web publishers to increase their commissions on CPC ads by clicking on them, thus making the clicks empty of value because they're not being made by prospective customers. This scenario is likely behind the Bahama botnet, whose existence Click Forensics disclosed last month.

According to Click Forensics, which sells services to monitor ad campaigns for click fraud, the Bahama botnet is architected in such a way that allows it to dupe the most sophisticated traffic filters set up by search engines, Web publishers and ad networks.

This is because the botnet engages in certain tactics that make the rogue traffic it generates appear legitimate.

The botnet got its name from its initial routing of traffic through some 200,000 parked domains in the Bahamas. However, it now uses sites elsewhere in the world as well.

Botnets are networks of otherwise legitimate computers that have been secretly compromised with malware to perform a variety of malicious tasks.

In its worst-case scenario, the Bahama botnet has turned as much as 30 percent of an advertiser's CPC budget into click-fraud traffic, according to Click Forensics.

Google didn't immediately respond to a request for comment.

Tags Googlebotnets

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Juan Carlos Perez

IDG News Service

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?