Chameleon botnet fakes website visits to leave advertisers $6m a month worse off

Chameleon botnet fakes website visits to leave advertisers $6m a month worse off

Summary: Security researchers have discovered the Chameleon botnet, which is delivering fraudulent clicks and display ad mouse rollovers.

TOPICS: Security

Security researchers have found a relatively small botnet that they claim is defrauding online advertisers of up to $6m a month by mimicking website visitor traits, such as clicking or rolling a mouse over display ads.

Fraud analytics firm has dubbed the ad-fraud botnet Chameleon, which it says is the first botnet to hit online display advertising rather than text-based advertising.

The company worked with display ad exchanges and demand-side platforms to investigate "deviant consumption" of display advertising, and in February discovered the extent of the botnet's activity, which it claims accounts for nine billion fraudulent display ads served a month.

Chameleon operates from 120,000 infected hosts that are exploited to bombard certain websites with billions of fraudulent visits, according to

"The bots subject host machines to heavy load, and the bots appear to crash and restart regularly. The bots largely restrict themselves to the 202 target websites," the company says.

The bots all report themselves as Internet Explorer 9.0 running on Windows 7 and use Flash and JavaScript to generate signs of human activity, such as clicks and "mouse traces" or rollovers on advertisements. However,'s analysis of the bot's mouse movements show that they are suspiciously uniform.

"The bots visit the same set of websites, with little variation. The bots generate uniformly random click co-ordinates across ad impressions and the bots also generate randomised mouse traces," notes.

The nine billion ad impressions served to the botnet each month make up more than half the 14 billion the 202 websites collectively serve per month. estimated the $6m a month cost of fraud to advertisers based on a rate of $0.69 per thousand impressions.

Topic: Security

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • So where is so called "Windows 7 security" looming?

    You can't claim that they were "only old XP-machines". Majority of new botnets are indeed based on captured Windows 7 and Windows Vista computers. You can't hide behind the back of Windows XP.

    "All the bot browsers report themselves as being Internet Explorer 9.0 running on Windows 7. "

    Surely not all were Windows 7 but many, probably most of them were. And IE-browser is very good on for that purpose. Hardly even 15% of Windows-pc's in western world are using Windows XP now.