Chameleon botnet fakes website visits to leave advertisers $6m a month worse off

Security researchers have discovered the Chameleon botnet, which is delivering fraudulent clicks and display ad mouse rollovers.

Security researchers have found a relatively small botnet that they claim is defrauding online advertisers of up to $6m a month by mimicking website visitor traits, such as clicking or rolling a mouse over display ads.

Fraud analytics firm has dubbed the ad-fraud botnet Chameleon, which it says is the first botnet to hit online display advertising rather than text-based advertising.

The company worked with display ad exchanges and demand-side platforms to investigate "deviant consumption" of display advertising, and in February discovered the extent of the botnet's activity, which it claims accounts for nine billion fraudulent display ads served a month.

Chameleon operates from 120,000 infected hosts that are exploited to bombard certain websites with billions of fraudulent visits, according to

"The bots subject host machines to heavy load, and the bots appear to crash and restart regularly. The bots largely restrict themselves to the 202 target websites," the company says.

The bots all report themselves as Internet Explorer 9.0 running on Windows 7 and use Flash and JavaScript to generate signs of human activity, such as clicks and "mouse traces" or rollovers on advertisements. However,'s analysis of the bot's mouse movements show that they are suspiciously uniform.

"The bots visit the same set of websites, with little variation. The bots generate uniformly random click co-ordinates across ad impressions and the bots also generate randomised mouse traces," notes.

The nine billion ad impressions served to the botnet each month make up more than half the 14 billion the 202 websites collectively serve per month. estimated the $6m a month cost of fraud to advertisers based on a rate of $0.69 per thousand impressions.