A Botnet Primer for Display Advertisers

douglasdejager“Data Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is by Douglas de Jager, Founder of Spider.io

Botnets are the biggest contributor to online display advertising fraud today. Rentable botnets are the most unnerving and surprising contributor.

DirectorsLive.com provides an illustrative example of the growing botnet problem. The DirectorsLive.com domain name was registered in August 2009, and the website became active shortly after. Since then, DirectorsLive has been reporting traffic growth rivaling that of Pinterest.com, arguably the fastest growing standalone website ever.  At the beginning of this year, six billion display ad impressions were being served across DirectorsLive each month, which is more than most of the largest demand-side platforms and performance advertisers buy each month. It turns out that the recently exposed Chameleon botnet was responsible for almost every single one of those six billion display ad impressions.

What’s A Botnet?

There is currently some confusion across the industry about whether all automated website traffic counts as botnet traffic. There are, in fact, two different automated ways to surf the Web.

The first way is to deploy your automated surfer across computers that you own or control legitimately. Googlebot is an example of this type of automated surfer. The Alexa crawler, which surfs the Web from Amazon EC2 IP addresses, is another. Both Googlebot and the Alexa crawler are well-behaved in that they announce themselves as automated agents when they visit websites. They do this by including Googlebot and ia_archiver in their respective user-agent headers. Not all automated surfers deployed across legitimately controlled machines are as well-behaved. Some have user-agent headers suggesting that they are human-powered browsers. However, even those are easy to identify because they typically use a finite set of IP addresses – usually either cloud IP addresses or Tor IP addresses.

The second automated way to surf the Web is to deploy your automated surfer across an illegal botnet. Botnets are collections of illegitimately hijacked PCs. Cybercriminals use these hijacked PCs to perform various tasks without the knowledge of the computers’ owners.

Automated surfers deployed across botnets are markedly more troubling than automated surfers deployed across legitimately owned or rented computers. This is because botnet surfers use real people’s PCs, giving them residential or corporate IP addresses. They typically have regular browser user-agent headers. They may even surf websites using the cookies of the unsuspecting PC owner. If a botnet controller has taken control of someone’s PC, all manners of disturbing things are possible on that computer.

Enterprise-Grade Botnets For Rent

A research paper published late last year, “Russian Underground 101,” detailed some unnerving facts about the state of botnet use today. These details were subsequently explored in an article titled “A Beginner’s Guide to Building Botnets.”

The paper and the article reveal that it’s now possible to rent enterprise-grade botnets in much the same way that one would rent cloud computing resources from, say, Amazon Web Services, Google Compute Engine or Windows Azure. The controllers of the most infamous botnets such as Zeus, Carberp and SpyEye have moved from conducting criminal activity to selling crimeware. According to the paper, the first month of botnet operation typically costs $595, thereafter followed by a monthly price of $225.

The rentable botnets are disturbingly enterprise-grade to the extent that they come with 24/7 technical support, monitoring services and auto-patching.

Some botnets come with A/B test harnesses and partial roll-out facilities. These allow the renters of botnets to respond quickly to any new defensive efforts taken to combat botnet activity. For example, some social networks have seen their defenses probed in an effort to reverse-engineer the rules that social networks use to identify and block fake profiles. Once the rules have been discovered and a social network’s defenses have been breached, the full force of the botnet is then used to generate large quantities of fake profiles.

There are indications that some botnets may also come with a form of software virtualization, so that when renters upload code to the botnets, this code is rotated periodically across machines. Rotation reduces the chance of a careless renter exposing the PC as hijacked, because no PC runs the same task for long. Across the Chameleon botnet, for example, activity moves from machine to machine every two or three days.

An App Marketplace For Cybercriminals

Not only are enterprise-grade botnets available for rent, there is also a disturbingly rich app marketplace for these rentable botnets.

Cybercriminals can buy apps (injector kits) for denial-of-service attacks, apps for spam emails, apps for credit-card theft, apps for banking fraud, apps for fake profile generation across social networks, apps for click fraud and apps for display advertising fraud. These apps typically cost less than $100, and ongoing support for an app often costs less than $10 per month.

These apps mean that very little technical ability is now required to commit botnet-driven cybercrime.

Apps For Display Advertising Fraud

The botnet apps for display advertising fraud already are surprisingly sophisticated and will doubtless become only more sophisticated over time. These botnet apps include their own Web browsers, manipulating the metrics that display advertisers use to optimize their buying.

Some of these apps exploit the retargeting strategies of specific advertisers. Here’s how it works: Let’s say a retargeting advertiser is running a campaign for one of its products. The automated surfer first visits the product webpage and appears to make an incomplete purchase, spurring the advertiser to try buying ad space on websites visited by the automated surfer in a futile attempt to get it to complete the purchase.

Many unwanted situations are possible when a real person’s PC has been hijacked, and there are strong indications that some botnet apps are already gaming CPA metrics. This possibility is currently under investigation.

Do Botnets Only Affect Long-Tail Websites?

Many in the industry have asked whether botnets only impact the websites of nefarious publishers. Indications are that this is not always the case.

Following the disclosure of the Chameleon botnet, someone from one of the publisher groups came forward to explain how that botnet came to impact the group’s websites, leading the publisher group to sell Chameleon botnet traffic to two of the Web’s most high-profile sites. This person even provided details of a network of traffic laundering.

It appears that cybercriminals may be renting botnets and selling fake traffic to others in the form of cheap pay-per-click traffic, much like the pay-per-click traffic sold to text-link advertisers by Google.com. The buyer of the botnet-generated traffic may sell this to someone else, who in turn may sell it to someone else again. Ultimately, a publisher will buy the traffic, and this publisher may or may not know the traffic is fake.

These traffic laundering details are being investigated.

Concluding Thoughts

In the early 2000s, click farms were regarded as the biggest threat to the integrity of online advertising. In 2004, Google’s CFO warned, “Something has to be done about [click fraud] really, really quickly, because I think, potentially, it threatens our business model.” The display advertising ecosystem needs to act swiftly to tackle botnet fraud today.

Follow Spider.io (@spider_io) and AdExchanger (@adexchanger) on Twitter.

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!

1 Comment

  1. Douglas: Did you ever wonder why intelligence agencies don’t publish their methodologies for catching terrorists?