Click fraud is the bane of the advertising industry. Publishers depend on display advertising to generate revenue. By displaying relevant advertising, they hope to encourage their users to click through to the advertiser’s landing page. Each such click is registered by the advertising network, and the network and publisher share the advertiser’s payment between them.

Determining whether a click on an advert was generated by a human is both difficult and essential. Advertisers don’t want to pay for clicks from sources that are never going to purchase their products. For advertising networks and the publishers however, there exists the incentive to increase click-through by whatever means they can. One of the most popular methods of generating fraudulent clicks is through the use of botnets, and in a recent announcement,, an analytics company, related their discovery of one such botnet that was targeting a group of 200 sites.

The botnet, named Chameleon, runs on 120,000 hacked machines, mostly located in the United States. Each of those machines runs a bot that consists of a web client capable of running both Flash and JavaScript. These unusually sophisticated bots are responsible for at least 65% of the visits to the 200 sites in question. The identity of those sites has not been released because it’s not clear whether the publishers, the advertising network, or a third party are responsible. It’s estimated that the botnet is costing advertisers at least $6 million dollars per month.

Although the bots are sophisticated, they leave behind them tell-tale traces in the data that signals their artificiality to analysts. One such trace can be seen from visualizations of the way mouse clicks are registered on adverts. Human-made clicks tend to cluster around features of interest like calls-to-action, whereas the bots click randomly within the advert. While this doesn’t implicate any one click as suspect, the aggregate image of the clicks paints a very different picture to that of human interaction.

There’s not yet any indication of how the botnets constituent machines were infected but Chameleon is reminiscent of the similar Bamital botnet that was taken down by Microsoft and Symantec earlier in the year. In that case, the infections were mostly the result of drive-by downloads and malware payloads hidden in files from peer-to-peer networks.

The question of who is responsible is more difficult to decide. Both the site publishers and the advertising networks stand to gain from the vastly inflated number of clicks, but it’s unclear which party is the active participant in the fraud and which is merely benefiting as a side effect.