October 09, 2009, 9:31 AM — The Bahama botnet, a sophisticated network of compromised computers that is wreaking click-fraud havoc among advertisers, is also snatching away Web traffic and revenue right from under the nose of mighty Google, Click Forensics said Thursday.
As part of its design, the Bahama botnet not only turns ordinary, legitimate PCs into click-fraud perpetrators that dilute the effectiveness of ad campaigns. It also modifies the way these PCs locate certain Web sites through a malicious practice called DNS poisoning.
In the case of Google.com, compromised machines take their users to a fake page hosted in Canada that looks just like the real Google page and even returns results for queries entered into its search box.
It's not clear where the Canadian server gets these results. What is evident is that the results aren't "organic" direct links to their destinations but are instead masked cost-per-click (CPC) ads that get routed through other ad networks or parked domains, some of which are in on the scam and some of which aren't.
Sometimes the click takes the user to the advertiser's Web site and sometimes it takes him elsewhere, Matt Graham, a Click Forensics risk analyst, said in an interview.
"Regardless, CPC fees are generated, advertisers pay, and click fraud has occurred," Click Forensics reported on Thursday in a blog posting.
As a result, a user who intended to run a legitimate search on Google ends up unknowingly involved in a click-fraud scam in which Google also loses Web traffic and ad revenue. Google isn't the only provider of CPC ads being affected.
In this way, the Bahama botnet is creating a twisted Robin Hood-type situation by robbing traffic from major ad providers and routing it to smaller players.
"We are investigating and monitoring this issue just as we investigate and monitor many other botnets and schemes every day," a Google spokeswoman said via e-mail.
This novel blend of DNS-routing redirection and click fraud is an emerging trend among scammers. "As click fraud gets more sophisticated, DNS poisoning is going to be key to how click fraudsters make money," Graham said.
Click fraud usually affects marketers running CPC ad campaigns on search engines and Web sites. When a person or a computer clicks on a CPC ad with malicious intent or by mistake, that is considered click fraud.
However, if the ad provider, whether it be Google, Yahoo, Microsoft or another vendor, doesn't detect the click as fraudulent, it still gets to charge the advertiser for the click.
Thus, in this case, the Bahama botnet is affecting both parties -- the advertisers and the ad providers as well.
In some cases, however, the click doesn't register with the ad network, so the advertiser gets the click and the resulting traffic free, Graham said.
"One of the sophisticated traits of this piece of malware is that it limits the number of ads a single visitor can click on," Graham said, adding that it does this to prevent that particular computer from becoming suspicious to click-fraud filters. "If you do too much clicking, it will stop sending you through ad networks."
The motivations behind click fraud are varied. For example, in order to harm rival companies, a competitor may click on their CPC ads, knowing that they are having to pay for clicks that will not generate them any business.
Another click-fraud driver is the desire of Web publishers to increase their commissions on CPC ads by clicking on them, thus making the clicks empty of value because they're not being made by prospective customers. This scenario is likely behind the Bahama botnet, whose existence Click Forensics disclosed last month.
According to Click Forensics, which sells services to monitor ad campaigns for click fraud, the Bahama botnet is architected in such a way that allows it to dupe the most sophisticated traffic filters set up by search engines, Web publishers and ad networks.
This is because the botnet engages in certain tactics that make the rogue traffic it generates appear legitimate.
The botnet got its name from its initial routing of traffic through some 200,000 parked domains in the Bahamas. However, it now uses sites elsewhere in the world as well.
Botnets are networks of otherwise legitimate computers that have been secretly compromised with malware to perform a variety of malicious tasks.
In its worst-case scenario, the Bahama botnet has turned as much as 30 percent of an advertiser's CPC budget into click-fraud traffic, according to Click Forensics.
