Click bots have been a thorn in the side of PPC marketers since the start. These pesky automated troublemakers zap the budget of businesses and have become increasingly sophisticated in recent years.
This has led to alarming levels of click fraud losses for advertisers. It is estimated that global losses due to click fraud will reach 100 billion U.S. dollars in 2023, a significant increase from the 35 billion reported in 2018.
In this post, we’ll list the most famous examples of click bots over time, their impact on ad campaigns today, and how you can avoid them.
What is a click bot?
A click bot is a type of software program designed to simulate user clicks on ads or other types of web content.
In some cases, click bots can be beneficial. For example, some of them perform useful activities online, such as scanning websites for errors, tracking links in emails to detect spam, or automating tasks.
However, the majority of click bots nowadays are used for fraudulent purposes. From fake traffic to manipulating ad campaigns, these bots seriously harm the online ecosystem.
They can be used to perform simple tasks like clicking on buttons, posting comments (spambots), or visiting websites (bot traffic). But, fraudsters are creating more sophisticated bots that can carry out more complex tasks and even mimic real user behavior. This can include ‘browsing’ a website, adding items to shopping baskets, or completing forms and downloads.
In addition to individual click bots, there are also botnets. These are networks of interconnected bot programs that can perform tasks individually or as a unit. These bots are often run from a command and control (C&C) center by a human operator. The bots themselves might be embedded on servers in a data center, or they can also be presented on infected user devices such as laptops and smartphones.
What do click bots do?
The main goal of click bots is to deceive ad campaigns by generating fake clicks. They are conducted in a way that makes it look like the ad is being clicked by a real user.
In the case of PPC fraud, the focus is fraudulent clicks on ads (display, video, or text/search results). These ads are normally embedded on a website owned by a fraudster. The idea is that the fraudster then collects the payout for the clicks (or video impressions) on the ads that his site is hosting.
Some other activities that click bots perform include generating bot traffic for social media, engaging with websites, and spamming or commenting.
This bot traffic can also be used for more malicious fraud, such as distributing copies of themselves and spreading viruses. It can also perform cybercrime-related activities, such as denial of service (DDoS) attacks.
How do these click bots work?
The bots themselves are technically a type of virus or Trojan, usually embedded on an internet-connected device such as a computer, tablet, server, or cellphone.
The bots from these devices can then be either used as part of a network to click on these ads en masse. Or, they can carry out localized click fraud, for example, within an app (known as click injection or click spamming).
Whatever the technique, every ad click costs an advertiser, somewhere in the world, some money…
Click fraud pre-2006
Most mentions of click fraud before 2006 are related to the practice of hosting ads on a low-quality site (or sites) and then clicking them en masse to collect the payout.
This tended to be quite simple, with fraudulent publishers signing up their low-quality site for Google AdSense and then clicking the ads themselves (or hiring someone to do it for them).
Even in 2003, there were mentions of bots clicking on these ads, but much of the information is based on assumptions and partial research. Knowing there was a big problem with click fraud and ad fraud, Google employed a dedicated team to tackle the growing problem.
Competitor click fraud has also been a problem since the early days of pay-per-click (PPC), with the practice becoming commonplace today.
So, it was just a matter of time before click bots proliferated and became a bigger problem…
Click fraud post-2006
- Years active: 2006
- Estimated cost: $50,000
- Estimated infections: 100,000 computers
In 2006, Google detected malicious software called Clickbot A that conducted low-noise click fraud attacks on syndicated search networks.
The bot targeted search results on Google-provided sponsored sites, with around 100,000 machines powering it.
Clickbot A was the first real evidence of click fraud botnets, causing an estimated $50,000 worth of fraud. However, it pales in comparison to the more massive botnets that emerged later.
- Years active: 2007-2011
- Estimated cost: $14 million
- Estimated infections: 4 million computers (both Internet Explorer and Apple devices)
The DNS Changer scam was created by a team of Estonians and Russians known as Rove Digital, which infected web browsers with ad fraud bots.
The botnet changed infected devices’ web addresses to domains owned by the gang and displayed ads that earned commissions.
The DNS Changer ran for 4 years, with features that prevented anti-virus updates. Vladimir Tsastin, a member of the group, was convicted of wire fraud and money laundering. It is one of the first court cases against an ad fraud bot network.
- Years active: 2013 – present
- Estimated cost: Unknown
- Estimated infections: Unknown
Miuref, also known as Boaxxe, is a Trojan that can be delivered through fake documents and used for various online bot attacks. It was notably part of the 3ve botnet campaign and can also mine Bitcoin, steal data, and exploit security vulnerabilities.
Despite being detectable and removable by antivirus software, Miuref remains a problem and continues to spread.
It’s unclear exactly how much financial damage Miuref has caused, as it is often used in conjunction with other botnets. And, as it isn’t specifically a PPC campaign bot clicker, its financial impact will be in the multiple billions.
- Years active: 2012 – present
- Estimated cost: Not known
- Estimated infections: 500,000+ machines
Another multi-use botnet, Stantinko has been identified as being behind a number of ad fraud campaigns but has recently shifted over to crypto mining.
Initially, it was detected as a malware component in Chrome extensions, which facilitated ad injection. Additionally, the bot can install adware, access WordPress and Joomla sites, and perform Google searches.
The gang behind this botnet has managed to keep it going for so many years as the code for the bot is hidden within reams of legitimate code. Stantinko affects mostly Russia and Ukraine but has also been found on systems outside these areas.
- Years active: 2009 – 2013
- Estimated cost: $700,000 per year
- Estimated infections: Up to one million desktop machines
Bamital, a type of malware that committed click fraud by redirecting search engine users to ads or pages with malware, was discovered by Microsoft in 2013.
This bot evaded detection by hiding in web pages and being installed through ‘drive-by’ downloads.
The botnet was estimated to generate up to $1 million per year for its operators. Bamital’s search-hijacking technique affected Bing, Yahoo, and Google searchers.
- Years active: 2013
- Estimated cost: Around $6 million per day
- Estimated infections: 120,000 desktop machines
The Chameleon botnet, one of the initial click bots to mimic user behavior, targeted display ads, which was groundbreaking as text ads were the norm.
Despite being relatively simple, it diverted over 50% of the ad revenue from 200 targeted sites through a uniform random series of fraudulent clicks and rollovers.
- Years active: 2014 – present
- Estimated cost: Not known
- Estimated infections: Unknown
Kovter is another click fraud botnet that has been leveraged by bigger campaigns. Like other long-lasting malware, it has managed to hide in long lines of code, including Windows registry files.
It’s a particularly clever bot that does its damage when the system is in ‘sleep’ or ‘standby’ mode. Kovter can also shut itself down whenever a system scan is started, making it hard for standard virus scanners to find it.
- Years active: 2015-2017
- Estimated cost: $3 million per day at the peak
- Estimated infections: 1,900 dedicated servers running 852,000 false IP addresses
Methbot, the infamous botnet, used infected servers to fake website identities and generate fake video ad impressions. The group behind Methbot reportedly earned up to $5 million a day through these fake impressions.
Methbot’s distinctive characteristic was its ability to pass off its fake inventory as legitimate premium inventory. Its massive scale alarmed the digital marketing industry, and it remains the standard for click fraud schemes, although its successor, 3ve, eventually surpassed it as the largest fraudulent network.
- Years active: 2017-2018
- Estimated cost: At least $29 million
- Estimated infections: 1.7 million hacked computers
As Methbot was being shut down by the FBI, a new and bigger ad fraud network came to the fore. 3ve was actually run by most of the same team behind Methbot, but the complexity of this scheme was truly impressive.
3ve was capable of even more video impressions and also managed to work despite ads.txt – actually using ads.txt lists to spoof inventory.
It turned out that a team of Russian and Kazakh nationals was behind this huge scam, and the team made an estimated $29 million from its efforts.
- Years active: 2016
- Estimated cost: $300,000 per month in 2016
- Estimated infections: 10 million Android devices worldwide
HummingBad, a malware allegedly created by Chinese company YingMob to inflate ad clicks, highlighted the issue of mobile app infections.
The software was not only an ad bot clicker but also had the ability to disguise click origins and potentially install software on devices without user knowledge.
Although shut down in 2016, it resurfaced as HummingWhale in 2017 and infected over 20 Google Play store apps.
- Years active: 2017
- Estimated cost: Up to $1.2 million per day
- Estimated infections: At least 500,000 computers in the US, UK, Netherlands and Canada
Another ad clicker that managed to get around ads.txt, HyphBot, was thought to be three or four times bigger than Methbot.
It exploited ads.txt lists to generate composite domain names, creating fake video ad impressions. The creators utilized an existing botnet network to click ads.
HyphBot ran for a short time but managed to embezzle millions of dollars in fraudulent ad revenue before eventually disappearing.
- Years active: 2018 – 2019
- Estimated cost: Not known
- Estimated infections: At least 10 million infections when discovered
DrainerBot, as a malware botnet, was embedded in a software development kit (SDK) found in Android devices.
The botnet evaded Google’s Play Protect checks and committed ad fraud by playing video ads in the background (using lots of data and battery power in the meantime). It’s no strange why the malware earned the name DrainerBot. It could use up to 10GB of data and was draining battery life quickly.
All apps identified as containing DrainerBot have been removed from the Play Store, but this ad clicker bot may still be out there…
- Years active: 2018 – present
- Estimated cost: At least $15 million
- Estimated infections: Not known
Another botnet targeting the weak links in ads.txt, this bot clicker spoofs domain inventory in a similar way to HyphBot. In fact, it seems that 404 Bot is capable of passing several different preventative techniques and continues to deplete marketing funds as we speak.
With an estimated $15 million in damage as of February 2020, how many more millions will be siphoned off by 404 Bot?
- Years active: 2019-2020
- Estimated cost: Not known
- Estimated infections: At least 56 apps, over 1 million downloads
Tekya, a clicker bot, was found in 56 Android apps, including children’s games and utility apps. It engaged with ads without user knowledge, using a clicker malware called Haken.
Since May 2019, Tekya has committed click fraud on over 1 million downloads, clicking on visible and invisible ads to mimic user behavior.
And this isn’t all….
This list of click bots and ad fraud networks isn’t even definitive. We haven’t even mentioned Judy, a malware-based ad clicker from South Korea that was allegedly distributed by an app developer to inflate their ad revenue.
Some other known botnets that we haven’t mentioned are IceBucket or SourMint, both recent botnets that have caused havoc. There are dozens of smaller botnets that don’t have a name or run long enough for the authorities to find them.
The impact of these types of bots on paid campaigns
Click bots can be a total headache for everyone running online ads. From advertisers that run PPC campaigns for clients to small business owners running their own ads to marketing teams managing multiple marketing activities.
We’ve already mentioned that fake clicks mainly affect PPC ads and their budgets. Unfortunately, this also leads to many more negative effects. Below are the top ones you should aim to avoid:
- Waste of marketing budgets: The main pitfall of click bots. Every time a click bot generates a fake click, it’s wasting your ad budget.
- Misleading analytics: Fake click data is also incorporated into your analytics. This gives you incorrect insights, leading to poor decision-making.
- Challenging optimization process: Campaign optimization based on irrelevant data will not produce a positive outcome, again wasting your time and efforts.
- Decreased engagement: When the click bots artificially increase click-through rates, it can lead to decreased engagement from real users.
- Ineffective ad targeting: Adjusting audience targeting due to bot traffic can harm your other marketing optimization efforts as well.
As we can see, click bots are not just affecting your ad campaigns like Google Ads or Facebook Ads, but they are a threat to your overall marketing efforts as well.
That’s why it is important to prevent them from happening in the first place.
How to detect and block click bots
Detecting bot clicks can be challenging, but it’s not impossible. Here are some actionable steps that you can take to detect and avoid click bots:
- Monitor Your Website Traffic: Keep track of your website’s traffic to detect suspicious patterns, such as sudden increases in clicks or clicks coming at unusual times of the day.
- Narrow down your targeting: With more specific audience targeting, it’s easier to detect when clicks are coming from unusual audience groups.
- Limit your ad runtime: By not running your ads 24/7, you can limit the possibilities of some click bots that are scheduled at specific times to access them.
- Implement CAPTCHAs: CAPTCHAs are a popular way to prevent bots from accessing your website. The most basic forms usually include image or text recognition tests to verify that the user is human.
While these steps can help reduce bot traffic’s impact, it’s essential to note that they cannot guarantee 100% effectiveness. We’re also aware that implementing them can be difficult and time-consuming.
Fortunately, ClickCease streamlines this whole process. ClickCease is a bot detection tool designed to mitigate and block bot clicks in real time.
If you want to keep your PPC ads (or any other marketing activity) free of click bots, check out the free trial here. You can look at exactly how many fake clicks your ads get before you sign up.
Make sure your PPC ad spend is only being seen by genuine human eyes, not clicker bots or click farm workers.