Click Fraud Trojans Are a Lucrative Cybercriminal Business

Security researchers from Trend Micro have recently analyzed the click fraud cybercriminal model and concluded that a medium-sized botnet can earn fraudsters several millions of dollars per year. The experts warn that such threats are evolving and are becoming harder to detect.

For their study the Trend Micro researchers analyzed the activity of an 150,000-strong click fraud botnet, which emerged this year and is still active. "This is not a huge botnet but it still generates multimillion dollars in revenue per year," Feike Hacquebord, one of the experts involved in the research, notes.

This botnet consists of computers infected with a special type of trojan known as a browser hijacker. The trojan installs itself into the browser and redirects user clicks on sponsored search results to other sites, that pay fraudsters to bring in traffic.

The mechanism is obviously more complex and these landing websites are not necessarily malicious. They belong to legit advertisers who are usually tricked into accepting the stream of fraudulent clicks, either by the botnet runners directly or by so called traffic brokers acting as intermediaries.

The cost per click (CPC) that fraudsters earn depends on the search keyword corresponding to the clicked results. For example a click on a sponsored search result for "facebook", which has almost zero return on investment for advertisers, is rewarded with a mere $0.0072. In contrast, a click on a result related to “home-based business opportunities” or “loans” can bring in as much as $2.

According to data gathered during Trend's investigation, the botnet can generate over one million clicks valued at almost $13,000 every day. That means well over $4.5 million per year. Of course, an important percentage of the revenue goes to the traffic brokers or gets reinvested in the operation, but cybercriminals are still left with a significant profit.

However, the researchers explain that maintaining such a botnet is not easy. The average life of an infection is only between 6 to 12 days. That's because click fraud activities are not very transparent and victims realize quickly that something is wrong with their browser. Botnet runners are therefore forced to infect tens of thousands of new systems daily, just to keep their operation going.

But click fraud trojan creators are coming up with new tricks that increase the life expectancy of their malware. These include DNS poisoning, which is achieved by forcing infected systems to use rogue DNS servers under the attackers' control. Another method involves replacing legit ads displayed on Web pages with others that fraudsters are being paid to direct traffic to. This is a lot harder to detect than search result-based click hijacking.

You can follow the editor on Twitter @lconstantin