
Discovered: Botnet Costing Display Advertisers over $6,000,000 per Month - blahpro
http://www.spider.io/blog/2013/03/chameleon-botnet/
======
cletus
As much as the HN crowd might rail against walled gardens (most notably iOS)
and managed platforms like ChromeOS, every time I read one of these posts I
think that for the vast majority of people, it's the best thing for them.

Botnets typically don't spread in a sophisticated way. Most of the time it's
spam emails or dodgy ads with "hey! install this random .exe file and you can
have emoticons in Outlook!"

I think Chrome has shown us the advantages of an automatically updated
browser. The future in personal computing I think lies squarely in an
automatically updated (even managed) sandboxed environment.

This isn't to say that's right for everyone of course.

But how much fraud, extortion, DDoSing, identity theft, invasion of privacy
(eg ratting), etc do people need to put up with before they demand a better
way?

EDIT: to address two points:

1\. Side-loading is orthogonal to the issue of a sandboxed managed
environment. I agree users should be able to side-load. Most won't know how
and won't care and that's a Good Thing [tm];

2\. Sure the central server can get compromised but the thing is botnets
rarely spread in a sophisticated fashion. It's all social. The Facebooks,
Apples and Googles of the world have far more experience and a far better
track record in dealing with these kinds of threats.

~~~
martinced
_"The future in personal computing I think lies squarely in an automatically
updated (even managed) sandboxed environment."_

Until the day where the main server serving the automated updates gets
compromised and instead of serving, say, an updated Chrome, it serves a
version of Chrome which a) is compromised on the behalf of a botnet master and
b) never ever accepts any other update automatically.

Because people have been trained never to update their browser themselves
anymore they'll think everything is fine.

Because hundreds of millions --if not billions-- of people are running Chrome
suddenly you have the biggest botnet ever out there.

I find it very interesting that you fear extortion, exploits, DDoS, identity
theft, invasion of privacy and whatnots as an argument for putting something
in place which potentially can be way more destructive.

But of course this shall never happen right? Just as we haven't seen FaceBook
getting penetrated and just as we've seen any major bank getting hacked right?
And rogue employees also don't exist right?

Be careful about what you wish in the future...

~~~
nemothekid
It is really just choosing between lesser of 2 evils.

1.) A million people using $BROWSER, never updating, continually downloading
free_ipad.exe

2.) A million people being owned by an intelligent hacker because of a fault
of Google, that is relatively quickly patched, and I'm sure someone will
figure out something to disable those rouge Chrome installs.

The first scenario is much, much more likely to happen, and while the second
could happen I doubt, Google would sit on their hands while it does happen.

I guess the only problem is in the second issue, its not your fault if you got
screwed. Its your mom's, and just your mom's, problem if she downloads
free_ipad.exe, but if Google is hacked all the sudden all your info is
comprised and it wasn't your fault.

Considering these two options however, IMO, I'd rather place my faith in
Google overloads keeping us all safe.

------
rsingel
Well that leaves the real questions: what sites were the bots clicking ads on,
who owns those sites and which ad networks were they using?

~~~
megablast
> spider.io has observed the Chameleon botnet targeting a cluster of at least
> 202 websites. 14 billion ad impressions are served across these 202 websites
> per month. The botnet accounts for at least 9 billion of these ad
> impressions.

The odd thing is that either these sites are already very big, or there are
others ways they are getting 5 billion ad impressions.

A list of these 202 websites would be informative. I guess a number of them
could be fake, to throw the scent off?

~~~
oroup
Perhaps a coincidence, but this AdWeek report[1] flags a number of "ghost
sites" that offer huge volume of impressions for sale on the exchanges and
have real advertisers but don't seem to have any actual human beings present.
One site in particular they mention usbuildingdigest.com has a very large
number of DSP and other data integrations[2]. Suggestive to say the least. A
number of other sites are mentioned in the AdWeek report.

[1] [http://www.adweek.com/news/technology/meet-most-suspect-
publ...](http://www.adweek.com/news/technology/meet-most-suspect-publishers-
web-148032) [2] <http://imgur.com/WHxmmHo>

------
binarymax
Very informative and, though it is not explicitly stated, we can infer that
this evidence cuts to the point of how low some competitors will stoop to
exploit pitfalls of web advertising.

The team at spider.io has found a great niche and has impressive results - I
always enjoy seeing posts like these pop up from them. Keep up the great work!

------
kingkool68
I'm fairly confident all of the revenue from one of my sites comes from botnet
ad clicks. I use CloudFlare and when I set it up at first I used the standard
settings for blocking bots. My ad revenue flat lined. Took the botnet
protections off and my ad revenue went right back to what it was before.

~~~
GhotiFish
haha, I like this post.

Are you gonna leave it? I must admit, screwing advertisers doesn't feel so
wrong, I'm certainly no fan, but you can't ignore that it's not very ethical.

Given that it's not technically your fault, you'd very likely never get
blamed, and your actions will likely not change the world in any way, what
will you do?

------
chwolfe
Before you blacklist the IPs listed in the article, it might be worthwhile to
query your transactional history and verify real purchases are not occurring
on those addresses.

When I did this, a few of the IPs had a significant number of orders.
Interestingly, the IP with the most orders mapped to E! corporate
headquarters.

[http://www.networksolutions.com/whois/results.jsp?ip=208.78....](http://www.networksolutions.com/whois/results.jsp?ip=208.78.120.35)

------
arbuge
The only guaranteed antidote to this kind of fraud is performance advertising
(pay per sale). I think pay per click and pay per impression, though arguably
useful for brand advertising, will always be vulnerable to sophisticated scams
like this.

~~~
lutusp
> The only guaranteed antidote to this kind of fraud is performance
> advertising (pay per sale).

It's guaranteed, but it probably won't work: "Thanks for doing business with
us -- by the way, where did you hear about us?" "Online, but I forget where."

Advertisers need to be able to associate an advertisement with a result.
Otherwise the effectiveness of advertising is a myth.

~~~
guelo
That's not how it works. Typically you have a referer ID in the URL which
tracks the source.

~~~
lutusp
Not when a customer walks in off the street. My point is that online tracking
seems necessary to evaluate the effectiveness of advertising. If we remove
tracking, which many people advocate, we're reduced to older methods to
evaluate advertising.

And believe me, i'm not arguing in favor of tracking -- only presenting the
most often heard argument.

------
brador
Maybe it really is just windows users running IE 9 on windows 7...and maybe it
just crashes on clicks sometimes because the tracking overloads it?

Do they have the bot code? I didn't see anything about where it came
from...just an assumed analysis of effect. Just saying, it might not be a bot
or malware at all.

~~~
bcherry
The analysis of click and mouse traces location distribution vs humans at the
end makes it pretty clear that these are not humans.

------
readme
The infections by state chart would be more interesting if it was per capita.

------
Nursie
A few things -

1\. Why?

2\. How widespread is this in general? How long before most web advertising is
bot-fraud as users learn about ad-blockers?

3\. Didn't realise my mouse traces were being recorded by advertisers in such
detail.... I do not like this.

~~~
elmuchoprez
1.) The only "useful" application of this that I can immediately think of is
to drive up the cost per impression on your competitors. But this seems like a
very short term strategy as anyone doing meaningful online marketing is
watching the cost per acquisition (a person who actually buys something) just
as close or closer than impression cost, and your acquisition cost is going to
go through the roof if you get a bot attack.

2.) I haven't been able to find meaningful info on this yet.

3.) I work in e-commerce tech. I had NO IDEA how bad it was before I got into
this industry. Just had a sales call with a company who is tracking 400 unique
data points per second on users. They track mouse clicks, mouse movements,
what your highlight, how long on site, navigation pattern, buying behavior
form other in-network sites, page position, etc... and then use that data in
real time to dynamically generate promos and offers to "encourage buying
behavior".

~~~
Nursie
That there is quite scary! May have to investigate "NoScript" a bit more
closely...

~~~
codesuela
Ghostery should be enough and is less invasive.
<https://www.ghostery.com/download>

~~~
Nursie
Thanks for that, had heard of it before but have now investigated and I like
it!

It does automatically what I'd been manually doing with Adblock i.e. block
loading resources from facebook when not actually on facebook.com, and a whole
lot more. Useful tool.

------
jpdoctor
Using the assumption that there is never just one cockroach, what is a good
multiplier to arrive at total-fraudulent dollars-per-month?

------
epmatsw
It's interesting that the infection seems most common in the Southwest. Do
botnets like this spread geographically based on email address or physical
connection/proximity? Or are the targeted sites or infection points targeted
at users in the southwest? Or are people in the north/northeast more likely to
use anti-virus software or be savvy enough to avoid this?

~~~
claudius
They appear to have coloured states based on the number of infected hosts in
such states. Since states in the northeast are generally smaller (i.e. less
populous) than, say, California, we can assume that there are also fewer
people getting infected there.

E.g., there are approx. 1e6 people in Maine and 4e7 people in California. If
you assume 1e2 infected hosts in Maine (0-99) and 3e4 in California (>1e4,
1.2e5 in total), you get an infection rate in California of about 7.5 that in
Maine.

Given the very coarse graining in the data source, such a factor can either be
dismissed as statistical fluctuation or you could try to explain it using, for
example, an infection model that favours geographical proximity, such as one
based on Facebook friends. Furthermore, it might well be that internet
connectivity is better in California than it is in Maine and the bot prefers
hosts with high uplink rates. I don’t know :)

Edit: We don’t know what websites were targeted, but maybe they ran ads that
would prefer users from the southwest for some reason?

~~~
epmatsw
Ah, didn't realize they weren't weighted. Still, it'd be interesting to see if
the apparent bias to the southwest is statistically significant.

------
jdalgetty
Any idea what the list of 200 sites are?

------
fein
Well, that's what you get for being in the click based ads game really. At
this point, I would assume that these companies should just accept this as an
occupational hazard. It's not like they can ever really beat the bots.

~~~
elmuchoprez
"Well, that's what you get for being in the click based ads game really."

Do you find something particularly sinister or unethical about click-based ads
(more so than any advertising)?

~~~
fein
Oh no, not at all. I realize that could have come across as malignant, but it
was just supposed to be a neutral assessment.

I do freelance dev work for some guys that run ads; it's just another business
to me.

------
andreasklinger
Is the comparison valid to say botnets are the bacteria of the Internet?

~~~
JonnieCache
Botnets are inherently malicious. This is obviously not true of bacteria. But
in a way they are similar I suppose. I don't think its a very fruitful analogy
either way.

~~~
andreasklinger
I am not sure if can be called non-malicious but there is definitely a new
breed of botnets coming up

e.g. <http://internetcensus2012.bitbucket.org/>

------
gluejar
I'm wondering if this might be related to the twitter spam discussed at
<https://news.ycombinator.com/item?id=5373161>

------
d23
I find this fascinating. How does chameleon infect its victims? Anyone have
further reading? Botnets seem incredibly interesting.

~~~
unix-dude
Botnets dont really infect their victims. A botnet is just a network of
compromised computers (Bots).

The malware that forces your computer to participate in the botnet can be
delivered by any avenue imaginable. Drive-By Downloads, crapware, embedded
into pirated software, etc. Not sure how chameleon specifically did it.

------
von_tenia
I wonder if Ad platform companies like adwords will see a drop in their
revenues once the Botnet will be dismantled...

~~~
lucb1e
Or perhaps an increase because ads become worth more. Fake clicks make less
sales, so if there are more sales, people can spend more on advertising. Of
course it needs to be at a very large scale for it to influence the actual
price per advertisement, but this botnet seems to be rather large-scale.

------
entropyneur
Wow, I didn't realize the arms race has reached such heights already. Looks
the bad guys are bound to win eventually.

~~~
smtddr
There are some crazy clever schemes out there for click fraud. Check out this
link - _WARNING _NFSW_ IMAGES_ [http://www.behind-the-enemy-
lines.com/2011/03/uncovering-adv...](http://www.behind-the-enemy-
lines.com/2011/03/uncovering-advertising-fraud-scheme.html)

This was estimated to be making $500K a month before being found... and was a
work of pure genius.

~~~
gingerlime
Interesting read.

I'm still not sure I understood the role of the "HGTV" sites and how the
fraudster was getting money by showing the HGTV ads (even after reading the
comments on the post explaining this). Weren't the ads on those parked domains
enough to generate the revenue for the fraudster?

~~~
Panos
"Weren't the ads on those parked domains enough"?

Is greed limited?

~~~
gingerlime
It's not about that.

If the ads were only on their own domains, this could have gone undetected.
The whole thing was discovered as a result of using those 'legit' websites,
and as far as I can tell from the article, using those was an essential part
of the scam, i.e. without it, it might not work... but I'm just wondering why.

