Man
Professional
- Messages
- 3,064
- Reaction score
- 589
- Points
- 113
Clickbots have been present in the history of contextual advertising since its inception and continue to plague marketers to this day. These annoying automated malicious scripts eat up advertisers' budgets, are improving, and are not going to leave their familiar places.
The depressing statistics of the contextual advertising market show that the damage from bots amounts to tens of billions of dollars per year and will reach 100 billion by the end of 2023. A sharp jump occurred after 2018 - at that time, fraudsters were able to empty the pockets of advertisers by 35 billion dollars.
In this article, we will tell you about the history of click bots, their role in clicking ads, and how you can protect your advertising campaigns from fraudsters.
Contents
1. What are clickbots?
1.1 What they can do
1.2 How they do it
2. Click fraud before 2006
3. Click fraud after 2006
3.1. Clickbot A
3.2. DNS Changer
3.3. Miuref
3.4. Stantinko
3.5. Bamital
3.6. Chameleon
3.7. Kovter
3.8. Methbot
3.9. 3ve (Eve)
3.10. HummingBad
3.11. HyphBot
3.12. DrainerBot
3.13. 404Bot
3.14. Tekya
3.15. And that’s not all…
4. The Impact of Bots and Networks on Advertising Campaigns
5. How to detect and block clickbots
Not all bots are malicious. Of course, there are useful programs. For example, there are those that scan websites for errors, check links in emails for spam, and perform other automatic tasks.
But unfortunately, most clickbots are currently used for fraudulent purposes: from generating fake traffic to manipulating advertising campaigns. They seriously undermine the entire Internet ecosystem.
The simplest bots can "click" buttons, comment on articles on websites and posts on social networks (spam), or visit websites (generate web traffic). Several generations of clickbots have changed over the past few years.
Fraudsters develop more complex scripts to perform complex actions and even to imitate the behavior of real users. Such programs can browse websites, add products to the shopping cart of an online store, as well as fill out online forms and download files.
In addition to individual clickbots, there are also botnets. They are networks of devices infected with malware. Each such malware creates a new attack point from the device - a bot - and uses it to perform tasks both independently and in mass attacks (for example, DDoS).
Bots in botnets are usually controlled by an operator via a command and control server. Malware can “settle” into both data center servers and user devices such as laptops, smartphones, kettles, and other computer and household appliances with Internet access.
The gist of it is this: ads are placed on a website(s) owned by a scammer, who then “drives” invalid traffic using bots to these ads and collects payments.
The tasks of clickbots also include sending and posting spam, commenting, generating traffic on social networks. In addition, bot traffic can be used for malicious fraud, such as distributing viruses, or to carry out cybercriminal attacks, such as DDoS.
These devices, under the control of the operator, are then used as part of a botnet for mass and large-scale click fraud on advertising or for local fraud with clicks in mobile applications. For example, click spam or click injection.
Whatever the method of the attackers, the advertiser pays for each click on the ad.
Even as early as 2003, there were reports of bots clicking on ads, but much of the information was based on speculation and partial research. With this information and the emerging problem of click fraud, Google hired a dedicated team to solve it.
Competitor click fraud has also plagued contextual advertising since its inception. This practice still exists today. Thus, mass click fraud as a significant global problem with multi-billion dollar damage was only a matter of time.
Estimated damage: $50,000
Estimated number of infections: 100,000 computers
In 2006, Google discovered a malicious software called Clickbot A that secretly carried out click fraud attacks on syndicated search networks. The bot attacked search results on sites monetized through Google Ads. The attacks used 100,000 infected computers.
The Clickbot A botnet was the first real evidence of botnets being used to click on ads. It cost advertisers around $50,000 in damage. However, this scale pales in comparison to the larger botnets that emerged later.
Estimated damage: $14 million
Estimated number of infections: 4 million computers (Internet Explorer and Apple)
The DNS Changer botnet was created by a Russian-Estonian hacker group operating under the name Rove Digital. The attackers infected web browsers with bots to perform click fraud attacks. The malware replaced web addresses on infected devices with domains belonging to the group and displayed monetized ads.
DNS Changer operated for 4 years and blocked antivirus software updates. Vladimir Tsastin, a member of the cybercriminal group, was convicted of wire fraud and money laundering. This is one of the first court cases against botnet owners for advertising fraud.
Estimated damage: Unknown
Estimated number of infections: Unknown
Miuref, also known as Boaxxe, dies and comes back like the Terminator. It is a Trojan virus that is delivered with fake files and is used for various bot attacks on the network. In particular, it was once part of the 3ve botnet.
Miuref can mine bitcoins, steal user data, and exploit security vulnerabilities. Even though the botnet is detected and removed by antivirus programs, it continues to spread and remains a problem for Internet users.
It is unknown exactly how much damage Miuref was able to cause to the online community, as it was often used in conjunction with other botnets. However, since attackers used it for a wide range of attacks, the damage it caused would be in the billions.
Estimated damage: Unknown
Estimated number of infections: over 500,000 devices
Another multi-purpose botnet, Stantinko, was originally used for ad fraud but has recently been repurposed for crypto mining.
Initially, it was a malicious component of Chrome browser extensions, which allowed attackers to inject third-party advertising into the sites viewed by the user. In addition, the bot was able to install adware, access WordPress and Joomla CMS sites, and perform Google searches.
The group behind this botnet has been able to keep it running for so many years thanks to code that has been cleverly hidden behind legitimate code. Stantinko is primarily targeted at Russia and Ukraine, but has also been detected outside of them.
Estimated damage: $700,000 per year
Estimated number of infections: up to 1 million PCs
The Bamital botnet was discovered by Microsoft in 2013. It is a type of malware designed to click on ads, redirecting users from search engines to ads or pages with malware. The difficulty in detecting this malware was that it was hidden on website pages and installed on the device via a drive-by download.
Experts estimate that Bamital was bringing in up to $1 million a year in revenue for its operators. The botnet's search interception technology affected search engines Google, Bing, and Yahoo.
Approximate damage: about 6 million dollars per day
Approximate number of infections: 120 thousand PCs
The Chameleon botnet was the first network of clickbots capable of imitating the behavior of real users. It targeted display advertising exclusively, which was also new.
Despite its relative simplicity, it was able to steal over 50% of advertising revenue from 200 target sites through a uniform, random series of fraudulent clicks.
Estimated damage: Unknown
Estimated number of infections: Unknown
Another botnet designed for click fraud, Kovter still exists today. Like other long-term malware, it was adept at mimicking legitimate code, including Windows registry files.
Its feature is activity when the system is in "sleep mode" or "standby". Also, the Kovter botnet is able to turn off when the user starts scanning the system. This makes it difficult for standard antiviruses to detect it.
Estimated damage: $3 million per day (at peak)
Estimated number of infections: 1.9 thousand dedicated servers on 852 thousand fake IP addresses
Methbot was one of the largest botnets in the history of click fraud. It is the most famous piece of malware. It used infected servers to spoof website identities and generate fake video ad views.
The hacker group behind the Methbot botnet was making up to $5 million a day from invalid views, according to cybersecurity experts.
Methbot's defining feature was its ability to pass off its fake inventory as premium. It caused a major stir in the digital marketing industry. To this day, the botnet remains the standard for fraud schemes, though its successor, 3ve, eventually surpassed it to become the largest fraudulent botnet.
Estimated damage: at least $29 million
Estimated number of infections: 1.7 million computers
3ve is the most powerful botnet in the digital world, almost like ED-209 from Robocop. Since Methbot was neutralized by the FBI, a new, larger botnet appeared after it - 3ve. It was still run by the same team as Methbot, but the complexity of the new cyber fraud scheme was truly impressive.
It was capable of generating even more video ad views, and also managed to work even with ads.txt, actually using the lists inside it to fake inventory.
As it turned out, citizens of Russia and Kazakhstan were behind this large-scale fraudulent scheme. According to experts, the hacker group was able to earn about $29 million using the 3ve botnet.
Estimated damage: $300,000 per month (in 2016)
Estimated number of infections: 10 million Android devices worldwide
The HummingBad botnet clicked on ads in Google Play apps. It is a malicious program, allegedly developed by the Chinese company YingMob, to generate clicks on ads. It served as a catalyst for studying the problem of mobile app infections.
The software was not only an advertising click bot, but also had the ability to disguise the source of clicks and install software on devices without the user's knowledge. Although it was eliminated in 2016, it reappeared in 2017 under the name HummingWhale and infected more than 20 apps in the Google Play Store.
Estimated damage: Up to $1.2 million per day
Estimated number of infections: at least 500,000 computers in the US, UK, Netherlands and Canada
Another ad clickbait that managed to bypass ads.txt. The HyphBot botnet was 3-4 times larger than Methbot. Using the ads.txt file, attackers created domain names on which they generated fake video ad views.
The HyphBot botnet had a short period of activity, but it was enough to drain advertisers' pockets of millions of dollars.
Estimated damage: Unknown
Estimated number of infections: at least 10 million
The DrainerBot botnet was embedded as malware in the SDK on Android devices and avoided scanning by Google Play Protect. It played video ads in the background, consuming a lot of data and draining the device’s battery. It’s no wonder why the malware was named DrainerBot. It could use up to 10 GB of data.
All apps infected with the DrainerBot malware have been removed from the Play Store, but it is possible that this ad fraud click bot still exists…
Estimated damage: at least $15 million
Estimated number of infections: Unknown
Another botnet that exploits vulnerabilities in ads.txt. With the help of 404Bot, attackers faked the domain inventory - almost the same as HyphBot. With damage estimated at $15 million as of February 2020, it is unknown how many more millions will be withdrawn by the 404Bot botnet.
Estimated damage: Unknown
Estimated number of infections: at least 56 applications, over 1 million installations
The Tekya botnet was found in 56 Android apps, including games for children and utility apps. The malware ran in the background of the device and used a malicious clickbot called Haken to do so. Tekya was able to infect over 1 million devices, through which it carried out click attacks on visible and invisible ads, imitating the behavior of real users.
We've already said before that invalid clicks affect advertising and its budgets. Unfortunately, this also leads to many other negative consequences:
As we can see, clickbots not only affect advertising campaigns, but also pose a threat to marketing efforts, budgets and business development.
These steps will help reduce the impact of bot traffic, but they cannot guarantee 100% effectiveness. In addition, manual verification and subsequent work takes a lot of time and effort, and requires the appropriate knowledge.
The depressing statistics of the contextual advertising market show that the damage from bots amounts to tens of billions of dollars per year and will reach 100 billion by the end of 2023. A sharp jump occurred after 2018 - at that time, fraudsters were able to empty the pockets of advertisers by 35 billion dollars.
In this article, we will tell you about the history of click bots, their role in clicking ads, and how you can protect your advertising campaigns from fraudsters.
Contents
1. What are clickbots?
1.1 What they can do
1.2 How they do it
2. Click fraud before 2006
3. Click fraud after 2006
3.1. Clickbot A
3.2. DNS Changer
3.3. Miuref
3.4. Stantinko
3.5. Bamital
3.6. Chameleon
3.7. Kovter
3.8. Methbot
3.9. 3ve (Eve)
3.10. HummingBad
3.11. HyphBot
3.12. DrainerBot
3.13. 404Bot
3.14. Tekya
3.15. And that’s not all…
4. The Impact of Bots and Networks on Advertising Campaigns
5. How to detect and block clickbots
What are clickbots
A clickbot is a type of software designed to simulate clicks on ads or perform actions on any other type of web content. They can be part of botnets designed specifically for click-baiting ad campaigns.Not all bots are malicious. Of course, there are useful programs. For example, there are those that scan websites for errors, check links in emails for spam, and perform other automatic tasks.
But unfortunately, most clickbots are currently used for fraudulent purposes: from generating fake traffic to manipulating advertising campaigns. They seriously undermine the entire Internet ecosystem.
The simplest bots can "click" buttons, comment on articles on websites and posts on social networks (spam), or visit websites (generate web traffic). Several generations of clickbots have changed over the past few years.
Fraudsters develop more complex scripts to perform complex actions and even to imitate the behavior of real users. Such programs can browse websites, add products to the shopping cart of an online store, as well as fill out online forms and download files.
In addition to individual clickbots, there are also botnets. They are networks of devices infected with malware. Each such malware creates a new attack point from the device - a bot - and uses it to perform tasks both independently and in mass attacks (for example, DDoS).
Bots in botnets are usually controlled by an operator via a command and control server. Malware can “settle” into both data center servers and user devices such as laptops, smartphones, kettles, and other computer and household appliances with Internet access.
What can they do?
The main task of clickbots is to generate fake clicks on ads, i.e. artificially inflate traffic. They do this as if people were clicking on ads. They even behave like real users.The gist of it is this: ads are placed on a website(s) owned by a scammer, who then “drives” invalid traffic using bots to these ads and collects payments.
The tasks of clickbots also include sending and posting spam, commenting, generating traffic on social networks. In addition, bot traffic can be used for malicious fraud, such as distributing viruses, or to carry out cybercriminal attacks, such as DDoS.
How do they do it?
Technically speaking, bots themselves are a type of virus or Trojan that infects a device with Internet access. This could be a personal computer, tablet, server, router, phone, etc.These devices, under the control of the operator, are then used as part of a botnet for mass and large-scale click fraud on advertising or for local fraud with clicks in mobile applications. For example, click spam or click injection.
Whatever the method of the attackers, the advertiser pays for each click on the ad.
Clickfro before 2006
In the history of the Internet before 2006, there are references to click fraud, as well as the practice of placing advertisements on low-quality sites with subsequent simple clicking. Unscrupulous resource owners registered their low-quality site in Google AdSense, and then clicked the placed advertisement themselves (or hired someone to do it for them).Even as early as 2003, there were reports of bots clicking on ads, but much of the information was based on speculation and partial research. With this information and the emerging problem of click fraud, Google hired a dedicated team to solve it.
Competitor click fraud has also plagued contextual advertising since its inception. This practice still exists today. Thus, mass click fraud as a significant global problem with multi-billion dollar damage was only a matter of time.
Clickfraud after 2006
Clickbot A
Years of activity: 2006Estimated damage: $50,000
Estimated number of infections: 100,000 computers
In 2006, Google discovered a malicious software called Clickbot A that secretly carried out click fraud attacks on syndicated search networks. The bot attacked search results on sites monetized through Google Ads. The attacks used 100,000 infected computers.
The Clickbot A botnet was the first real evidence of botnets being used to click on ads. It cost advertisers around $50,000 in damage. However, this scale pales in comparison to the larger botnets that emerged later.
DNS Changer
Years active: 2007 – 2011Estimated damage: $14 million
Estimated number of infections: 4 million computers (Internet Explorer and Apple)
The DNS Changer botnet was created by a Russian-Estonian hacker group operating under the name Rove Digital. The attackers infected web browsers with bots to perform click fraud attacks. The malware replaced web addresses on infected devices with domains belonging to the group and displayed monetized ads.
DNS Changer operated for 4 years and blocked antivirus software updates. Vladimir Tsastin, a member of the cybercriminal group, was convicted of wire fraud and money laundering. This is one of the first court cases against botnet owners for advertising fraud.
Miuref
Years active: 2013 – presentEstimated damage: Unknown
Estimated number of infections: Unknown
Miuref, also known as Boaxxe, dies and comes back like the Terminator. It is a Trojan virus that is delivered with fake files and is used for various bot attacks on the network. In particular, it was once part of the 3ve botnet.
Miuref can mine bitcoins, steal user data, and exploit security vulnerabilities. Even though the botnet is detected and removed by antivirus programs, it continues to spread and remains a problem for Internet users.
It is unknown exactly how much damage Miuref was able to cause to the online community, as it was often used in conjunction with other botnets. However, since attackers used it for a wide range of attacks, the damage it caused would be in the billions.
Stantinko
Years active: 2012 – presentEstimated damage: Unknown
Estimated number of infections: over 500,000 devices
Another multi-purpose botnet, Stantinko, was originally used for ad fraud but has recently been repurposed for crypto mining.
Initially, it was a malicious component of Chrome browser extensions, which allowed attackers to inject third-party advertising into the sites viewed by the user. In addition, the bot was able to install adware, access WordPress and Joomla CMS sites, and perform Google searches.
The group behind this botnet has been able to keep it running for so many years thanks to code that has been cleverly hidden behind legitimate code. Stantinko is primarily targeted at Russia and Ukraine, but has also been detected outside of them.
Bamital
Years of activity: 2009 – 2013Estimated damage: $700,000 per year
Estimated number of infections: up to 1 million PCs
The Bamital botnet was discovered by Microsoft in 2013. It is a type of malware designed to click on ads, redirecting users from search engines to ads or pages with malware. The difficulty in detecting this malware was that it was hidden on website pages and installed on the device via a drive-by download.
Experts estimate that Bamital was bringing in up to $1 million a year in revenue for its operators. The botnet's search interception technology affected search engines Google, Bing, and Yahoo.
Chameleon
Years of activity: 2013Approximate damage: about 6 million dollars per day
Approximate number of infections: 120 thousand PCs
The Chameleon botnet was the first network of clickbots capable of imitating the behavior of real users. It targeted display advertising exclusively, which was also new.
Despite its relative simplicity, it was able to steal over 50% of advertising revenue from 200 target sites through a uniform, random series of fraudulent clicks.
Kovter
Years active: 2014 – presentEstimated damage: Unknown
Estimated number of infections: Unknown
Another botnet designed for click fraud, Kovter still exists today. Like other long-term malware, it was adept at mimicking legitimate code, including Windows registry files.
Its feature is activity when the system is in "sleep mode" or "standby". Also, the Kovter botnet is able to turn off when the user starts scanning the system. This makes it difficult for standard antiviruses to detect it.
Methbot
Years active: 2015 – 2017Estimated damage: $3 million per day (at peak)
Estimated number of infections: 1.9 thousand dedicated servers on 852 thousand fake IP addresses
Methbot was one of the largest botnets in the history of click fraud. It is the most famous piece of malware. It used infected servers to spoof website identities and generate fake video ad views.
The hacker group behind the Methbot botnet was making up to $5 million a day from invalid views, according to cybersecurity experts.
Methbot's defining feature was its ability to pass off its fake inventory as premium. It caused a major stir in the digital marketing industry. To this day, the botnet remains the standard for fraud schemes, though its successor, 3ve, eventually surpassed it to become the largest fraudulent botnet.
3ve (Eve)
Years of activity: 2017 – 2018Estimated damage: at least $29 million
Estimated number of infections: 1.7 million computers
3ve is the most powerful botnet in the digital world, almost like ED-209 from Robocop. Since Methbot was neutralized by the FBI, a new, larger botnet appeared after it - 3ve. It was still run by the same team as Methbot, but the complexity of the new cyber fraud scheme was truly impressive.
It was capable of generating even more video ad views, and also managed to work even with ads.txt, actually using the lists inside it to fake inventory.
As it turned out, citizens of Russia and Kazakhstan were behind this large-scale fraudulent scheme. According to experts, the hacker group was able to earn about $29 million using the 3ve botnet.
HummingBad
Years active: 2016Estimated damage: $300,000 per month (in 2016)
Estimated number of infections: 10 million Android devices worldwide
The HummingBad botnet clicked on ads in Google Play apps. It is a malicious program, allegedly developed by the Chinese company YingMob, to generate clicks on ads. It served as a catalyst for studying the problem of mobile app infections.
The software was not only an advertising click bot, but also had the ability to disguise the source of clicks and install software on devices without the user's knowledge. Although it was eliminated in 2016, it reappeared in 2017 under the name HummingWhale and infected more than 20 apps in the Google Play Store.
HyphBot
Years active: 2017Estimated damage: Up to $1.2 million per day
Estimated number of infections: at least 500,000 computers in the US, UK, Netherlands and Canada
Another ad clickbait that managed to bypass ads.txt. The HyphBot botnet was 3-4 times larger than Methbot. Using the ads.txt file, attackers created domain names on which they generated fake video ad views.
The HyphBot botnet had a short period of activity, but it was enough to drain advertisers' pockets of millions of dollars.
DrainerBot
Years of activity: 2018 – 2019Estimated damage: Unknown
Estimated number of infections: at least 10 million
The DrainerBot botnet was embedded as malware in the SDK on Android devices and avoided scanning by Google Play Protect. It played video ads in the background, consuming a lot of data and draining the device’s battery. It’s no wonder why the malware was named DrainerBot. It could use up to 10 GB of data.
All apps infected with the DrainerBot malware have been removed from the Play Store, but it is possible that this ad fraud click bot still exists…
404Bot
Years active: 2018 – presentEstimated damage: at least $15 million
Estimated number of infections: Unknown
Another botnet that exploits vulnerabilities in ads.txt. With the help of 404Bot, attackers faked the domain inventory - almost the same as HyphBot. With damage estimated at $15 million as of February 2020, it is unknown how many more millions will be withdrawn by the 404Bot botnet.
Tekya
Years of activity: 2019 – 2020Estimated damage: Unknown
Estimated number of infections: at least 56 applications, over 1 million installations
The Tekya botnet was found in 56 Android apps, including games for children and utility apps. The malware ran in the background of the device and used a malicious clickbot called Haken to do so. Tekya was able to infect over 1 million devices, through which it carried out click attacks on visible and invisible ads, imitating the behavior of real users.
And that's not all...
In fact, this is not a complete list of botnets designed for click fraud and other types of fraud. For example, cybersecurity experts and marketers are aware of other botnets such as Judy, IceBucket or SourMint, etc. There are dozens of others, smaller, unnamed and with a short period of activity, which makes them much more difficult to detect.The Impact of Bots and Networks on Advertising Campaigns
Clickbots and botnets can be a real headache for anyone running digital advertising campaigns, from business owners to marketing companies.We've already said before that invalid clicks affect advertising and its budgets. Unfortunately, this also leads to many other negative consequences:
- Excessive spending of the advertising budget. This is the main problem that clickbots bring. For each invalid click on the ad, the advertiser pays money. The budget is spent, traffic grows, but this does not lead to conversions.
- Corrupted analytics. Invalid traffic data is mixed into the analytics of the advertising campaign and leads to making erroneous decisions on efficiency.
- Complicating the process of campaign optimization. Adjusting a campaign based on irrelevant data will not bring positive results, which again leads to a waste of your time and effort.
- Reduced engagement: When click bots artificially inflate the number of clicks, this can lead to a decrease in the engagement of real users.
- Ineffective advertising targeting. Adjusting targeting to the target audience based on advertising statistics that contain bot traffic leads to erroneous optimization of the advertising campaign and invalid impressions.
As we can see, clickbots not only affect advertising campaigns, but also pose a threat to marketing efforts, budgets and business development.
How to detect and block clickbots
Spotting bots in your ad statistics is no easy task. Doing it manually is nearly impossible. Every second, with every click on an ad, fraudsters are hurting advertisers and wasting their budget. Here are some practical steps you can take to spot and avoid botnets or clickers:- Monitor your website traffic.
- Narrow your targeting.
- Limit the time your ads are shown.
- Implementing CAPTCHA on a website.
These steps will help reduce the impact of bot traffic, but they cannot guarantee 100% effectiveness. In addition, manual verification and subsequent work takes a lot of time and effort, and requires the appropriate knowledge.
