Here's how Bahama's click fraud scheme steals ad revenue from Google and its advertisers according to ClickForensics:
However, in the case of the Bahama Botnet, this DNS translation method gets corrupted. The Bahama botnet malware causes the infected computer to mistranslate a domain name. Instead of translating “Google.com” as 18.104.22.168, an infected computer will translate it as 22.214.171.124. That number doesn’t represent any computer owned by Google. Instead, it represents a computer located in Canada.
When a user with an infected machine performs a search on what they think is google.com, the query actually goes to the Canadian computer, which pulls real search results directly from Google, fiddles with them a bit, and displays them to the searcher. Now the searcher is looking at a page that looks exactly like the Google search results page, but it’s not. A click on the apparently “organic” results will redirect as a paid click through several ad networks or parked domains -- some complicit, some not. Regardless, cost per click (CPC) fees are generated, advertisers pay, and click fraud has occurred.