Online Extra: Click Fraud's Next Frontier

Botnet herders can turn networks of compromised computers into a marauding force of practically undetectable ad clickers

By Ben Elgin

If you place an advertisement on Google (GOOG ) or Yahoo! (YHOO ), and you're paying the search giants each time somebody clicks, it would be nice to know that the clicker is a human being who might actually purchase your product. Unfortunately, there are no such assurances.

The search engines routinely maximize their profits by recycling ads to millions of other Web sites, whose owners get a percentage from each click. And some of those secondary sites are run by scam artists who enlist people to click repeatedly on the ads. So you end up paying Google or Yahoo for those clicks, the fraudsters get a cut, and there's no positive impact on the sales of your product.

The search engines are trying to crack down on this phenomenon, known as click fraud. But the basic scam is already migrating to a higher technological plane. Search engines, marketers, and law-enforcement agencies are increasingly worried about networks of automated miscreants called "botnets." These are groups of computers that have been infected by malicious software that allows the fraudsters to seize control.


  Typically, the botnet operator, or "bot herder," uses the compromised computers to send large volumes of spam e-mails or to spy on computer users for financial information which can be sold on the Internet. Over 3 million computers on the Net today are believed to be part of a botnet, with 200,000 new machines being added each month, according to Tokyo-based security firm Trend Micro.

More and more of these botnets are now branching into click fraud. In some cases, the bot herders may set up their own bogus Web sites and instruct the compromised computers to click on the sites' ads. In other cases, the bot herder rents its network out to other Web site owners, who use it to generate the fake clicks.

Large botnets can generate ad clicks that are nearly indistinguishable from genuine human clicks, say security experts. That's because the clicks are traced back to actual computers. And a bot herder can spread the clicks across its thousands of computers, instead of relying on the same machines for numerous clicks, which might send up a red flag among ad firms.


  "The clicks you get from botnets look like real traffic," says Paul Henry, vice-president for strategic accounts at San Jose-based Secure Computing (SCUR ).

Yahoo acknowledges that botnets are difficult to detect. That's because fresh PCs are constantly being infected and linked to botnets, providing click fraudsters with an ever-growing supply of remote-control computers. But Yahoo also notes that its analysts are actively researching and monitoring botnets, and says its filters are able to block many botnet clicks before advertisers are charged.

The rare identification of one such botnet this summer illustrates the risk to advertisers. Two computer security companies—Panda Software and RSA Security—teamed up and uncovered a network of infected machines, estimated to include at least 103,000 computers.


  The computers were running a program dubbed Clickbot.A, which caused them to access certain Web sites and click on the ads appearing on them. Each computer had been instructed by the bot herder's software to stop at 20 clicks. That would total over 2 million clicks, which translates into hundreds of thousands, if not millions, of dollars in ad revenues getting siphoned from legitimate advertisers to the scam artists.

This particular botnet had been instructed to click on ads at a number of adult-oriented sites, which were delivered by a common Web address:, according to Panda officials. This would bring up adult sites, such as and Both of these sites are registered to a possibly-fictional entity dubbed BeatOn in Kirov, Russia. Attempts to reach the Web-site owners were not successful.

Because most of the targeted sites carried ads from Google, the security companies decided to turn the information over to them. Shuman Ghosemajumder, the search engine's manager for trust and safety, confirms the search giant communicated with Panda but won't say how Google handled the situation. "Google took steps to mitigate this and protect our advertisers," he says, declining to provide any specifics.

Although this particular botnet is considered defused, the perpetrators are still at large and could be anywhere in the world. It's a sobering thought for online marketers, whose spending on this medium reaches new heights every quarter.

Elgin is a correspondent in BusinessWeek's Silicon Valley bureau

Before it's here, it's on the Bloomberg Terminal.