Security researchers have found a relatively small botnet that they claim is defrauding online advertisers of up to $6m a month by mimicking website visitor traits, such as clicking or rolling a mouse over display ads.
Fraud analytics firm Spider.io has dubbed the ad-fraud botnet Chameleon, which it says is the first botnet to hit online display advertising rather than text-based advertising.
The company worked with display ad exchanges and demand-side platforms to investigate "deviant consumption" of display advertising, and in February discovered the extent of the botnet's activity, which it claims accounts for nine billion fraudulent display ads served a month.
Chameleon operates from 120,000 infected hosts that are exploited to bombard certain websites with billions of fraudulent visits, according to Spider.io.
"The bots subject host machines to heavy load, and the bots appear to crash and restart regularly. The bots largely restrict themselves to the 202 target websites," the company says.
"The bots visit the same set of websites, with little variation. The bots generate uniformly random click co-ordinates across ad impressions and the bots also generate randomised mouse traces," Spider.io notes.
The nine billion ad impressions served to the botnet each month make up more than half the 14 billion the 202 websites collectively serve per month. Spider.io estimated the $6m a month cost of fraud to advertisers based on a rate of $0.69 per thousand impressions.