Click Fraud Experts Report New Botnet

By Matthew Hines  |  Posted 2009-09-21 Print this article Print

Experts in the field of click fraud - the use of phony traffic to drive up Web site statistics for advertising purposes - are reporting the use of a new botnet that has been designed specifically to propagate the phenomenon.

According to researchers with Click Forensics, a sophisticated new botnet, dubbed "Bahama" is driving clicks to specific Web sites using a widespread army of zombie machines. The Bahama botnet is specifically creating fraudulent search traffic from infected devices residing within U.S. libraries and schools, in addition to those belonging to individual consumers, the company said.

The botnet masks itself by posing as a legitimate source of high-quality search advertising traffic and is accounting for heavy loads of the volume going to some of the sites it funnels traffic to, according to a Click Forensics research report.

Scammers use click fraud to boost site traffic so that they can derive greater profits from advertising networks that pay commissions based on the URL impressions that they can generate for site owners.

Bahama seeks to increase its potency by varying the manner in which it channels traffic to sites to seem even more legitimate, according to the report.

"During the past four years we've monitored billions of clicks; this scheme is one of the most sophisticated we've seen," Paul Pellman, CEO of Click Forensics said in a report summary. "The botnet is effectively disguising the fraud it produces as 'good traffic' by altering the interval and breadth of the attacks across legions of infected machines."

The company said that it recently discovered links to the malware behind the Bahama botnet in Google search results for terms including "Facebook Fan Check virus," with it clearly being aimed at users of social networks attempting to gather information about malware attacks being carried out over the popular sites.

Click Forensics said that the involved malware program is similar to the "scareware" or "malvertising" program found last weekend among advertisements on The campaigns often try to lure users with phony AV programs that are actually Trojan attacks.

Bahama is reportedly making money for its users by generating paid clicks using normal user behavior to transform an organic search into a paid click. It can also leverage its network of bot-infected machines to programmatically auto-generate paid clicks without any human interaction, the experts noted.

"The dual nature of this botnet makes it a more powerful vehicle for committing click fraud than other kinds of click fraud botnets," they said in the report.

The company first stumbled upon the botnet after noticing a "sudden and sustained" rise in irregular traffic patterns in live click stream data from multiple sources, including ad networks and search engines as well as publisher and advertiser Web sites. It gained the "Bahama" moniker because it was initially redirecting traffic through 200,000 parked domains located in the Bahamas.

However, the botnet has since shifted to redirect traffic through URLs hosted in Amsterdam, Netherlands; the United Kingdom; and San Jose, California, the company said.

In addition, Click Forensics claims that almost no AV clients are currently stopping the malware being used to propagate the botnet itself.

Follow eWeek Security Watch on Twitter at: eWeekSecWatch.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel