Security Experts:

Connect with us

Hi, what are you looking for?



Click Fraud Botnet Intercepted 87 Million Web Searches Per Year

As online advertising has grown as an industry, so has the specter of click fraud. With botnets powering this fraudulent engine, click fraud scams can generate serious profits.

As online advertising has grown as an industry, so has the specter of click fraud. With botnets powering this fraudulent engine, click fraud scams can generate serious profits.

How much? According to researchers at Symantec, one such operation pulled in more than $46,000 in revenue between September 27, 2010 and June 27, 2011. By examining command and control (C&C) servers for the botnet, researchers revealed the operation was intercepting up to 87 million Web searches a year as it fed unsuspecting users unwanted advertisements.

Click FraudThe scam was built on Xpaj, a sophisticated virus Symantec first detected in 2009. Xpaj spreads by copying itself to executable files. Unlike other file infectors however, it works by overwriting subroutines in an infected file so that it launches only when certain functions are called.

By doing so, the malware makes itself more difficult to detect by antivirus, though for the attacker that may mean the malware does not execute as reliably, Symantec explained in a whitepaper on the operation. After executing, the malware downloaded binary data and begins monitoring Internet traffic to intercept Web searches. The intercepted data is sent to the command and control server (C&C server), which responds with an advertisement disguised as a search result. When the user clicks on the result, they are directed to a seller’s site.

The seller is then charged and the part of the money is passed on to the scammer.

“It is rare for a file infector to be used for click-fraud,” Gavin O’Gorman, a security researcher with Symantec Security Response, told SecurityWeek. “Because file infectors are so effective at spreading through a computer and across a network, they tend to be used as a delivery platform. The infected network is then typically rented out to other malware authors who use them to install their own threats. This is how W32.Virut.CF and W32.Sality.AE, the most well known file infectors, work.”

According to Symantec, the average number of searches and clicks per day from September 27, 2010 until June 27, 2011 was 241,717 and 31,177, respectively. Earnings ranged from a peak of roughly $450 per day to a low of $43, for an average of $169. Since March, those earnings have been on a decline. The current size of the botnet is unknown, O’Gorman explained, because the server Symantec obtained access to was taken offline.

Clicks from Bots

“We were curious about the drop off in numbers as well and can only assume that it is due to security vendors detecting the threat more effectively,” he said. “Generally, virus numbers tend to decline over time due to antivirus detection unless the virus is actively maintained. From our analysis of the server, the techniques used to obfuscate or ‘encrypt’ the click-fraud components have not been updated in months.”

Though it is difficult to give exact numbers, there are signs that click fraud activities are on the rise, he added.

“For example, one of the more recent ad-clicking botnets, Trojan.Tracur spiked in the last month,” O’Gorman said. “Detections were averaging around 2,000 to 3,000 a day, but jumped to a high of 42,000 at one point and are now averaging out at around 30,000.”

Written By

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.