Chameleon botnet costing online advertisers millions

This is pretty scary. Online security experts have identified a botnet that is stealing millions of dollars a month.

The botnet, which has been dubbed Chameleon because of its ability to fool advertisers’ tracking algorithms, has been found simulating click-throughs on over 200 websites.

Online security company Spider.io says it has been tracking the botnet since December last year. The company says that Chameleon’s ability to target display-based advertisers (as against text-based advertisers) makes it a particularly notable threat.

Display advertisers use algorithms with varying degrees of complexity to target their advertising at the most appropriate website visitors. These algorithms involve continually measuring websites and their visitors to determine engagement levels with website content and with ad creatives. For the Chameleon botnet to evade detection and to impact display advertisers to the extent that it has requires a surprising level sophistication.

A lot of money on the web comes from pay-per-click advertising and any threat to the relationship between advertisers and the platforms they advertise on is a serious one. The 200 or so websites affected by Chameleon serve 14-billion ad impressions per month. The botnet apparently accounts for at least 9-billion of these ad impressions.

At an average rate of US$0.69 CPM, the botnet currently costs advertisers an estimated US$6.2 million a month.

Despite being able to mimic typical web user behaviour, the botnet does have limitations. According to Spider.io, all the bot browsers report themselves as being Internet Explorer 9.0 running on Windows 7 and visit the same set of websites, with little variation. Each bot often masquerades as several concurrent website visitors, each visiting multiple pages across multiple websites.

Chameleon also has implications for any machine it happens to infect. The bots subject host machines to heavy load, and the bots appear to crash and restart regularly. So far, more than 120 000 host machines have been identified, 95% of which access the web from residential US IP addresses.
Image: Yathin S Krishnappa (via Wikimedia Commons).