Bahama Botnet Discovered as Source of Click Fraud Surge

Click Forensics discovers a botnet behind a significant spike of click fraud traffic. As in the recent scam making use of, attackers are using fake antivirus software to infect PCs.

Click Forensics has found an unusually large spike in click fraud traffic coming from a new botnet apparently eluding the filters of search engines, publishers and ad networks alike.

Dubbed the "Bahama botnet," the network of compromised computers is distributing malware while masking itself as a legitimate source of search advertising traffic. According to Click Forensics, links to the malware behind the Bahama botnet were found in Google search results for "Facebook Fan Check virus."

The malware is extremely similar to the rogue anti-virus program found the weekend of Sept. 12 in advertisements on In both cases, cyber-scammers sought to trick users into downloading malware posing as the solution to their supposedly infected systems. However, the program was in fact a Trojan that would have enabled an attacker to take control of the users' computers.

"During the past four years we've monitored billions of clicks for top search engines, ad networks, publishers and advertisers. This scheme is one of the most sophisticated we've seen," Paul Pellman, CEO of Click Forensics, said in a statement Sept. 17. "The botnet is effectively disguising the fraud it produces as 'good traffic' by altering the interval and breadth of the attacks across legions of infected machines."

The Bahama botnet commits click fraud in a number of different ways, according to Click Forensics. For one, it generates paid clicks by using normal user behavior to transform an organic search into a paid click. It also uses its network of compromised machines to auto-generate paid clicks without any human interaction.

The botnet got its nickname because when it was first detected it redirected traffic through 200,000 parked domains located in the Bahamas. Since then, the botnet has been reprogrammed to redirect traffic through intermediate sites hosted in Amsterdam, the United Kingdom and San Jose, Calif. It is believed to have infected thousands of computers at this time.

Click Forensics said it has reached out to security vendors, including Symantec and McAfee, for help removing the malware. It is also cooperating with top ad networks, search engines, advertisers and online publishers to identify traffic from the botnet.