Click bots have been a thorn in the side of PPC marketers since the start. These pesky automated troublemakers zap the budget of businesses and have become increasingly sophisticated in recent years.
This has led to alarming levels of click fraud losses for advertisers. It is estimated that the global losses due to click fraud will reach 100 billion U.S. dollars in 2023. This is a significant increase from the 35 billion reported in 2018.
In this post, we’ll look at a list of the most famous examples of click bots over time, their impact on ad campaigns today, and how you can avoid them.
What is a click bot?
A click bot is a type of software program designed to simulate user clicks on ads or other types of web content.
In some cases, click bots can be beneficial. For example, some of them perform useful activities online, such as scanning websites for errors, tracking links in emails to detect spam, or automating tasks.
However, the majority of click bots nowadays are used for fraudulent purposes. From fake traffic to manipulating ad campaigns, these bots are seriously harming the online ecosystem.
They can be used to perform simple tasks like clicking on buttons, posting comments (spambots), or visiting websites (bot traffic). But, fraudsters are creating more sophisticated bots which can carry out more complex tasks and even mimic real user behavior. This can include ‘browsing’ a website, adding items to shopping baskets, or completing forms and downloads.
In addition to individual click bots, there are also botnets. They are networks of interconnected bot programs, which can perform tasks either individually or as a unit. These bots are often run from a command and control (C&C) center by a human operator. The bots themselves might be embedded on servers in a data center, or they can also be presented on infected user devices such as laptops and smartphones.
What do click bots do?
The main goal of click bots is to deceive ad campaigns by generating fake clicks. They are conducted in a such way that it looks like the ad is being clicked by a real user.
In the case of PPC fraud, the focus is fraudulent clicks on ads (display, video, or text/search results). These ads are normally embedded on a website owned by a fraudster. The idea is that the fraudster then collects the payout for the clicks (or video impressions) on the ads that his site is hosting.
Some other activities that click bots perform include generating bot traffic for social media, engaging with websites, and spamming or commenting.
This bot traffic can also be used for more malicious fraud such as distributing copies of themselves and spreading the virus. It can also perform cybercrime-related activities such as denial of service (DDoS) attacks.
How do these click bots work?
The bots themselves are technically a type of virus, or Trojan, usually embedded on an internet-connected device such as a computer, tablet, server, or cellphone.
The bots from these devices can then be either used as part of a network to click on these ads, en masse. Or, they can carry out localized click fraud, for example within an app (known as click injection or click spamming).
Whatever the technique, every ad click costs an advertiser, somewhere in the world, some money…
Click fraud pre-2006
Most mentions of click fraud before 2006 are related to the practice of hosting ads on a low-quality site (or sites), and then clicking them en masse to collect the payout.
This tended to be quite simple, with fraudulent publishers signing up their low-quality site for Google AdSense and then clicking the ads themselves (or hiring someone to do it for them).
Even in 2003, there are mentions of bots clicking on these ads but much of the information is based on assumptions and partial research. And so, knowing there was a big problem with click fraud and ad fraud, Google employed a dedicated team to tackle the growing problem.
Competitor click fraud has also been a problem since the early days of pay-per-click, with the practice becoming commonplace today.
So, it was just a matter of time before click bots started to proliferate and become a bigger problem…
Click fraud post-2006
- Years active: 2006
- Estimated cost: $50,000
- Estimated infections: 100,000 computers
In 2006, Google detected malicious software called Clickbot A that conducted low-noise click fraud attacks on syndicated search networks.
The bot targeted search results on Google-provided sponsored sites, with around 100,000 machines powering it.
Clickbot A was the first real evidence of click fraud botnets and caused an estimated $50,000 worth of fraud. However, it pales in comparison to the more massive botnets that emerged later.
- Years active: 2007-2011
- Estimated cost: $14 million
- Estimated infections: 4 million computers (both Internet explorer and Apple devices)
The DNS Changer scam was created by e team of Estonians and Russians known as Rove Digital who infected web browsers with ad fraud bots.
The botnet changed infected devices’ web addresses to domains owned by the gang and displayed ads that earned commissions.
The DNS Changer ran for 4 years, with features that prevented anti-virus updates. Vladimir Tsastin, a member of the group, was convicted of wire fraud and money laundering. It is one of the first court cases against an ad fraud bot network.
- Years active: 2013 – present
- Estimated cost: Unknown
- Estimated infections: Unknown
Miuref, also known as Boaxxe, is a Trojan that can be delivered through fake documents and used for various online bot attacks. It was notably part of the 3ve botnet campaign and can also mine Bitcoin, steal data, and exploit security vulnerabilities.
Despite being detectable and removable by antivirus software, Miuref remains a problem and continues to spread.
It’s unclear exactly how much financial damage has been caused by Miuref, as it is often used in conjunction with other botnets. And, as it isn’t specifically a PPC campaign bot clicker, its financial impact will be in the multiple billions.
- Years active: 2012 – present
- Estimated cost: Not known
- Estimated infections: 500,000+ machines
Another multi-use botnet, Stantinko has been identified as being behind a number of ad fraud campaigns but has recently shifted over to crypto mining.
Initially, it was detected as a malware component in Chrome extensions, which facilitated ad injection. Additionally, the bot is capable of installing adware, accessing WordPress and Joomla sites, and performing Google searches.
The gang behind this botnet has managed to keep it going for so many years as the code for the bot is hidden within reams of legitimate code. Stantinko affects mostly Russia and Ukraine, but has also been found on systems outside of these areas.
- Years active: 2009 – 2013
- Estimated cost: $700,000 per year
- Estimated infections: Up to one million desktop machines
Bamital, a type of malware that committed click fraud by redirecting search engine users to ads or pages with malware, was discovered by Microsoft in 2013.
This bot evaded detection by hiding in web pages and being installed through ‘drive by’ downloads.
The botnet was estimated to be generating up to $1 million per year for its operators. Bing, Yahoo, and Google searchers were affected by the search-hijacking technique employed by Bamital.
- Years active: 2013
- Estimated cost: Around $6 million per day
- Estimated infections: 120,000 desktop machines
The Chameleon botnet, one of the initial click bots to mimic user behavior, targeted display ads, which was groundbreaking as text ads were the norm.
Despite being relatively simple, it diverted over 50% of the ad revenue from 200 targeted sites through a uniform random series of fraudulent clicks and rollovers.
- Years active: 2014 – present
- Estimated cost: Not known
- Estimated infections: Unknown
Another click fraud botnet that has been leveraged by other bigger campaigns, Kovter is still out there. Like other long-lasting malware, Kovter has managed to hide in long lines of code, including Windows registry files.
It’s a particularly clever bot that does its damage when the system is in ‘sleep’ or ‘standby’ mode. Kovter can also shut itself down whenever a system scan is started, making it hard to be found by standard virus scanners.
- Years active: 2015-2017
- Estimated cost: $3 million per day at the peak
- Estimated infections: 1,900 dedicated servers running 852,000 false IP addresses
Methbot, the infamous botnet, used infected servers to fake website identities and generate fake video ad impressions. The group behind Methbot reportedly earned up to $5 million a day through these fake impressions.
Methbot’s distinctive characteristic was its ability to pass off its fake inventory as legitimate premium inventory. Its massive scale alarmed the digital marketing industry, and it remains the standard for click fraud schemes, although its successor, 3ve, eventually surpassed it as the largest fraudulent network.
- Years active: 2017-2018
- Estimated cost: At least $29 million
- Estimated infections: 1.7 million hacked computers
As Methbot was being shut down by the FBI, a new and bigger ad fraud network came to the fore. 3ve was actually run by most of the same team behind Methbot, but the complexity of this scheme was truly impressive.
3ve was capable of even more video impressions and also managed to work despite ads.txt – actually using ads.txt lists to spoof inventory.
It turned out that a team of Russian and Kazakh nationals were behind this huge scam, making an estimated $29 million from the efforts.
- Years active: 2016
- Estimated cost: $300,000 per month in 2016
- Estimated infections: 10 million Android devices worldwide
HummingBad, a malware allegedly created by Chinese company YingMob to inflate ad clicks, highlighted the issue of mobile app infections.
The software was not only an ad bot clicker but also had the ability to disguise click origins and potentially install software on devices without user knowledge.
Although shut down in 2016, it resurfaced as HummingWhale in 2017 and infected over 20 Google Play store apps.
- Years active: 2017
- Estimated cost: Up to $1.2 million per day
- Estimated infections: At least 500,000 computers in the US, UK, Netherlands and Canada
Another ad clicker that managed to get around ads.txt, HyphBot was thought to be around 3 or 4 times bigger than Methbot.
It exploited ads.txt lists to generate composite domain names, creating fake video ad impressions. The creators utilized an existing botnet network to click ads.
HyphBot ran for a short time but managed to embezzle millions of dollars in fraudulent ad revenue before eventually disappearing.
- Years active: 2018 – 2019
- Estimated cost: Not known
- Estimated infections: At least 10 million infections when discovered
DrainerBot as a malware botnet was embedded in a software development kit (SDK) found in Android devices.
The botnet evaded Google’s Play Protect checks and committed ad fraud by playing video ads in the background (using lots of data and battery power in the meantime). It’s no strange why the malware earned the name DrainerBot. It could use up to 10GB of data and was draining battery life quickly.
All apps identified as containing DrainerBot have been removed from the Play Store, but it is possible this ad clicker bot is still out there…
- Years active: 2018 – present
- Estimated cost: At least $15 million
- Estimated infections: Not known
Another botnet targeting the weak links in ads.txt, this bot clicker spoofs domain inventory in a similar way to HyphBot. In fact, it seems that 404 Bot is capable of passing several different preventative techniques and continues to deplete marketing funds as we speak.
With damage at an estimated $15 million as of February 2020, how many more millions will be siphoned off by 404 Bot?
- Years active: 2019-2020
- Estimated cost: Not known
- Estimated infections: At least 56 apps, over 1 million downloads
Tekya, a clicker bot, was found in 56 Android apps, including children’s games and utility apps. It engaged with ads without user knowledge, using a clicker malware called Haken.
Tekya committed click fraud on over 1 million downloads since May 2019, clicking on visible and invisible ads to mimic user behavior.
And this isn’t all….
This list of click bots and ad fraud networks isn’t even definitive. We haven’t even mentioned Judy, a malware based ad clicker from South Korea who was allegedly distributed by an app developer to inflate their ad revenue.
Some other know that we haven’t mentioned are IceBucket or SourMint, both recent botnets that have caused havoc. There are dozens of smaller botnets that don’t have a name or don’t run long enough for the authorities to find them.
The impact of these types of bots on paid campaigns
Click bots can be a total headache for everyone who is running online ads. From advertisers that run PPC campaigns for clients to small business owners running their own ads, up to marketing teams managing multiple marketing activities.
We’ve already mentioned that fake clicks mainly affect PPC ads and their budgets. Unfortunately, this also leads to many more negative effects. Below are the top ones you should aim to avoid:
- Waste of marketing budgets: The main pitfall of click bots. Every time a click bot generates a fake click, it’s wasting your ad budget.
- Misleading analytics: Fake click data is also incorporated into your analytics. This gives you incorrect insights, leading to poor decision-making.
- Challenging optimization process: Campaign optimization based on irrelevant data won’t bring a positive outcome. This again leads to a waste of your time and efforts.
- Decreased engagement: When the click bots artificially increase click-through rates, it can lead to decreased engagement from real users.
- Ineffective ad targeting: Adjusting audience targeting due to bot traffic can harm your other marketing optimization efforts as well.
As we can see, click bots are not just affecting your ad campaigns like Google Ads or Facebook Ads, but they are a threat to your overall marketing efforts as well.
That’s why it is important to prevent them from happening in the first place.
How to detect and block click bots
Detecting bot clicks can be a challenging task, but it’s not impossible. Here are some actionable steps that you can take to detect and avoid click bots:
- Monitor Your Website Traffic: Keep track of your website’s traffic to detect suspicious patterns, such as sudden increases in clicks or clicks coming at unusual times of the day.
- Narrow down your targeting: With more specific audience targeting it’s easier to detect when clicks are coming from unusual audience groups.
- Limit your ad runtime: By not running your ads 24/7, you can limit the possibilities of some click bots that are scheduled at specific times to access them.
- Implement CAPTCHAs: CAPTCHAs are a popular way to prevent bots from accessing your website. The most basic forms usually include image or text recognition tests to verify that the user is human.
While these steps can help to reduce the impact of bot traffic, it’s essential to note that they cannot guarantee 100% effectiveness. We’re also aware that implementing them can be difficult and time-consuming.
Fortunately, this whole process can be streamlined with ClickCease. ClickCease is a bot detection tool designed to mitigate and block bot clicks in real-time.
If you want to keep your PPC ads (or any other marketing activity) free of click bots, check the free trial here. You can take a look at exactly how many fake clicks your ads are getting before you sign up.
Make sure your PPC ad spend is only being seen by genuine human eyes, not clicker bots or click farm workers.