Security firm Spider.io has identified a botnet, dubbed Chameleon, which helps cybercriminals earn more than $6 million (4.6 million EUR) a month from advertisers by emulating human visitors on certain websites.
Chameleon, which has been monitored by the company since December 2012, is similar to the recently disrupted Bamital botnet
. However, unlike Bamital, Chameleon impacts display advertisers, not text-link advertisers.
So far, more than 120,000 host machines have been identified, most of which are in the US IP space.
According to Spider.io
, the botnet targets at least 202 websites with great impact. Of the total 14 billion ad impressions recorded across these sites each month, at least 9 billion are generated by the botnet.
This means that 65% of the traffic on these websites is botnet traffic. On average, advertisers pay $0.69 CPM for ad impressions served to Chameleon.
Host machines are subjected to heavy loads because each of the bots masquerades as several concurrent site visitors. This causes the bots to crash and restart regularly.
Every time a bot restarts, it requests a new set of cookies. The experts note that at least 7 million distinct ad-exchange cookies are associated with the botnet each month.
“They click on ad impressions with an average click-through rate of 0.02%; and they surprisingly generate mouse traces across 11% of ad impressions.”
Another clever thing about Chameleon is that the bots generate uniform random click coordinates across ad impression. In addition, randomized mouse traces are generated to make it appear as if a real user is visiting the website.