As online advertising has grown as an industry, so has the specter of click fraud. With botnets powering this fraudulent engine, click fraud scams can generate serious profits.
How much? According to researchers at Symantec, one such operation pulled in more than $46,000 in revenue between September 27, 2010 and June 27, 2011. By examining command and control (C&C) servers for the botnet, researchers revealed the operation was intercepting up to 87 million Web searches a year as it fed unsuspecting users unwanted advertisements.
The scam was built on Xpaj, a sophisticated virus Symantec first detected in 2009. Xpaj spreads by copying itself to executable files. Unlike other file infectors however, it works by overwriting subroutines in an infected file so that it launches only when certain functions are called.
By doing so, the malware makes itself more difficult to detect by antivirus, though for the attacker that may mean the malware does not execute as reliably, Symantec explained in a whitepaper on the operation. After executing, the malware downloaded binary data and begins monitoring Internet traffic to intercept Web searches. The intercepted data is sent to the command and control server (C&C server), which responds with an advertisement disguised as a search result. When the user clicks on the result, they are directed to a seller’s site.
The seller is then charged and the part of the money is passed on to the scammer.
“It is rare for a file infector to be used for click-fraud,” Gavin O’Gorman, a security researcher with Symantec Security Response, told SecurityWeek. “Because file infectors are so effective at spreading through a computer and across a network, they tend to be used as a delivery platform. The infected network is then typically rented out to other malware authors who use them to install their own threats. This is how W32.Virut.CF and W32.Sality.AE, the most well known file infectors, work.”
According to Symantec, the average number of searches and clicks per day from September 27, 2010 until June 27, 2011 was 241,717 and 31,177, respectively. Earnings ranged from a peak of roughly $450 per day to a low of $43, for an average of $169. Since March, those earnings have been on a decline. The current size of the botnet is unknown, O’Gorman explained, because the server Symantec obtained access to was taken offline.
“We were curious about the drop off in numbers as well and can only assume that it is due to security vendors detecting the threat more effectively,” he said. “Generally, virus numbers tend to decline over time due to antivirus detection unless the virus is actively maintained. From our analysis of the server, the techniques used to obfuscate or ‘encrypt’ the click-fraud components have not been updated in months.”
Though it is difficult to give exact numbers, there are signs that click fraud activities are on the rise, he added.
“For example, one of the more recent ad-clicking botnets, Trojan.Tracur spiked in the last month,” O’Gorman said. “Detections were averaging around 2,000 to 3,000 a day, but jumped to a high of 42,000 at one point and are now averaging out at around 30,000.”