Botmasters play into false advertising

Bots can be used to generate fake site visits and deceive advertisers, leading them to be overcharged for ads that are not viewed by humans. In addition, systems in Asia-Pacific are more vulnerable to such attacks due to its higher software piracy rate.

Security watchers also point to ad publishers which have directed bot traffic to their own sites to boost fake clicks for more advertising money.

A study by Solve Media published in late-September noted about 10 percent of total Web traffic was from bots. This translated to a potential waste of US$1.5 billion for advertisers, it said.

Sugiarto Koh, regional director for Asean and North Asia at Sourcefire, explained how bots can affect advertisers.

Botmasters use a network of infected machines to commit click fraud, making a high volume of automated requests for specific ads or ad networks, Koh said.

Simple advertising-related bot activities include reloading the ad many times to increase view count, he said. More sophisticated attacks, include simulating ad clicks which give advertisers a false impression of popularity and dramatically increase their costs, as they are charged more each time an ad is clicked than it is viewed, he said.

Eryin Halmen, regional manager for Southeast Asia, Hong Kong and Taiwan at Corero Network Security, added advertisers pay additional surcharges to Web site owners or ad publishers when the ad gets more hits.

Halmen added: "It has been observed ad hosts have even attacked their own Web sites to increase their advertising revenue."

Koh agreed, citing a study by the Sourcefire Vulnerability Research Team (VRT) published in late-2011. He said the team's ongoing malware research found machines infected in a lab environment saw four times more traffic from legitimate servers than malicious ones. The majority of the legitimate servers belonged to advertising companies, he added.

"While it is nearly impossible to conclude with 100 percent certainty how much of this traffic was intentional click fraud, it's safe to assume a large percentage of that traffic was in fact designed to manipulate advertising statistics," said Koh.

Asia more vulnerable to bots
The Solve Media study noted Asian countries such as Singapore, the Philippines and Taiwan saw a higher percentage of bot traffic compared to those in the Middle East or the United States.

In Singapore, for instance, bots were responsible for 56 percent of total Web traffic. In Taiwan, this figure stood at 54 percent while the Philippines clocked 43 percent. In contrast, bot traffic accounted for 33 percent of Web traffic in the United Arab Emirates, 29 percent in Saudi Arabia, and 16 percent in the United States.

However, Koh noted infected systems and bots were distributed evenly around the world. "Geography means very little to most attackers, who can easily infect machines in any corner of the globe," he said.

Halmen agreed, adding that the ability to spoof the source of IP address meant the country where bot traffic occurred would not really matter. However, he added a large number of bot-infected machines from particular countries in Asia made the list regularly.

Koh said a system was more vulnerable to bot infection if it had not been patched or was not running up-to-date antivirus. He added parts of the world with higher piracy rates tend to have more bots, as pirated copies of software such as Microsoft Windows do not receive security updates and are less likely to be running current antivirus, Koh said.

Publishers, advertisers play role in combating bots
Kwee Anping, Singapore associate manager for systems engineering at Symantec, said marketing and media was one of the top 10 industries affected by targeted e-mail attacks. Citing the Symantec Internet Security Threat Report Volume 17, Kwee added with online advertising agencies relying heavily on the Web to deliver content, they need to safeguard themselves against a wide spectrum of Web-based attacks.

He said companies need to secure their Web sites against man-in-the-middle attacks and malware infection. This includes implementing always-on SSL (Secure Sockets Layer), scanning the Web site for malware, and setting secure flag for all session cookies.

Corero Network Security's Halmen said online advertising industry must ensure ads are not placed on malware-infected Web sites and their ads cannot be infected with malware.

He added advertisers should ensure publishers of the Web sites hosting their ads have good security practices in place. "It would be advisable to think twice about advertising on sites with little, or any security, in place," he said.

Sourcefire's Koh said anti-bot measures include simple methods such as filtering abnormal User-Agent string, which are part of the HTTP protocol designed to identify a browser and can be changed by many bots to non-standard values. Other measures include rate-based blocking, and more complex algorithms based on factors present in a series of ad requests.

"That said, a great deal of research is being done to identify click fraud from botnets," he said.

Koh noted the industry can benefit by partnering the research community to implement techniques discovered through research and to help provide sample data that will assist researchers.

"Attackers have no problem sharing data in pursuit of better results so victims should be doing the same," he said.