The Click Fraud Blog | ClickCease
a history of ad fraud click bots

A Short History of Ad Click Bots & PPC Fraud

Ad clicker bots have been a thorn in the side of PPC marketers since the start. These pesky automated troublemakers zap the budget of businesses and have become increasingly sophisticated in recent years. Today, click fraud costs advertisers more than $23 billion each year (and rising!).

We’ve been looking at some of the most famous examples of these click bots right here on this blog. 

In this post we’ll look at some of the most famous click bots and ad fraud malware campaigns, and how they’ve progressed over the years.

What is a click bot?

These automated ad clickers are pieces of code that are designed to click on whatever the fraudster wants them to. In the case of PPC fraud, the focus is on PPC ads (display, video or text/search results), which are normally embedded on a website owned by a fraudster.

The idea is that the fraudster then collects the payout for the clicks (or video impressions) on the ads that his site is hosting.

The bots themselves are technically a type of virus, or Trojan, usually embedded on an internet connected device such as computer, tablet, server or cellphone.

Once embedded on a device, they can then be either used as part of a network to click on these ads, en masse. Or, they can carry out localised click fraud, for example within an app (known as click injection or click spamming).

Whatever the technique, every ad click costs an advertiser, somewhere in the world, some money…

Mentions of click fraud have been occurring since at least the early 2000s, and pay per click has been a thing since around 1996. But when did click fraud, or ad fraud, start to become the problem it is today?

There are many different type of clicker bots over the years

Click fraud pre-2006

Most mentions of click fraud before 2006 are related to the practice of hosting ads on a low quality site (or sites), and then clicking them en masse to collect the payout. 

This tended to be quite simple, with fraudulent publishers signing up their low quality site for Google AdSense and then clicking the ads themselves (or hiring someone to do it for them).

Even in 2003 there are mentions of bots to click on these ads but much of the information is based on assumptions and partial research. And so, knowing there was a big problem with click fraud and ad fraud, Google employed a dedicated team to tackle the growing problem.

Competitor click fraud has also been a problem since the early days of pay per click, with the practice becoming commonplace today.

So, it was just a matter of time before click bots started to proliferate and become a bigger problem… 

Clickbot A

  • Years active: 2006
  • Estimated cost: $50,000
  • Estimated infections: 100,000 computers
early footage of Clickbot A commiting ad fraud

Back in 2006, Google spotted some malicious software that was used to ‘conduct low-noise click fraud attacks against syndicated search networks’. 

Put simply, Clickbot A was targeting search results on sites that used Google to provide the sponsored results. It was thought that around 100,000 machines were linked up to power this bot clicker.

As the first mention of an actual ad clicker, Clickbot A is perhaps the first real proof of the existence of click fraud botnets. 

Google estimated that Clickbot A was responsible for $50,000 worth of fraud. Pocket change for many of today’s enterprise marketers. But, as we’ll see, this was relatively small fry compared to those that would come after. 

DNSChanger

  • Years active: 2007-2011
  • Estimated cost: $14 million
  • Estimated infections: 4 million computers (both Internet explorer and Apple devices)
At the time DNSChanger was the master of ad fraud botnets

Created and proliferated by a team of Estonians and Russians working as a company called Rove Digital, the DNSChanger scam is probably one of the first known court cases against an ad fraud network. Vladimir Tsastin was sentenced and convicted on charges of wire fraud and money laundering.

This botnet worked by infecting web browsers (usually Microsoft’s Internet Explorer) and then changing the web address on infected devices to domains owned by the gang. The browser would then display ads which would earn a commission for the Rove Digital fraudsters.

The DNSChanger botnet ran for around 4 years and, as well as click bots, there were features such as preventing anti-virus updates, which may have helped it run for even longer. 

Miuref

  • Years active: 2013 – present
  • Estimated cost: Unknown
  • Estimated infections: Unknown
Like the Terminator, Miuref botnet keeps coming back

This bot, also known as Boaxxe, is more than just a click bot. As a Trojan, often delivered via dodgy attachments such as fake documents, Miuref has been used in a variety of online fraud attacks.

Most famously, Miuref was used to devastating effect as part of the 3ve botnet campaign (more on that shortly). But it can also be used to remotely mine Bitcoin, steal data and take advantage of security flaws. 

Although it has been identified and can be removed by antivirus software, Miuref continues to be a problem and proliferates. 

It’s unclear exactly how much financial damage has been caused by Miuref, as it is often used in conjunction with other botnets. And, as it isn’t specifically an ad fraud bot clicker, it’s financial impact will be in the multiple billions.

Stantinko

  • Years active: 2012 – present
  • Estimated cost: Not known
  • Estimated infections: 500,000+ machines
Stantinko botnet keeps on finding new ways to make money

Another multi-use botnet, Stantinko has been identified as being behind a number of ad fraud campaigns, but has recently shifted over to crypto mining.

Stantinko was originally spotted as a malware component in Chrome extensions, which were actually online security extensions. These affected software programs were then capable of performing what is essentially ad injection, which is where the software performs clicks or views on hidden ads on behalf of the fraudsters.

However, this bot is quite versatile and is capable of installing additional adware, gaining access to WordPress and Joomla sites and even performing searches on Google.

The gang behind this botnet have managed to keep it going for so many years as the code for the bot is hidden within reams of legitimate code. Stantinko affects mostly Russia and Ukraine, but has also been found on systems outside of these areas.

Bamital

  • Years active: 2009 – 2013
  • Estimated cost: $700,000 per year
  • Estimated infections: Up to one million desktop machines
Ghost in the Shell and Bamital botnet share some sililarities

Discovered by Microsoft in early 2013, Bamital was a piece of malware that used a clever form of search hijacking to commit click fraud. Searchers on Bing, Yahoo and Google would click on search results but would be redirected to ads or pages with malware embedded in them.

Bamital flew under the radar for a while thanks to its ability to hide in web pages and be installed via ‘drive by’ downloads. That is where a site visitor receives an update or download, usually to their web browser without their knowledge, from an infected site.

The Bamital botnet was thought to be making anything up to $1 million per year for its operators. 

Chameleon

  • Years active: 2013
  • Estimated cost: Around $6 million per day
  • Estimated infections: 120,000 desktop machines
The Terminator from Terminator 2 was a bit like the Chameleon botnet

The Chameleon botnet was one of the first identified click bots to mimic user behaviour. It was also groundbreaking in that it targeted display ads, instead of text ads, which had been the standard until this point.

Despite these new developments, Chameleon was actually a relatively simple bot. It would perform a ‘uniformly random’ series of clicks and rollovers on a selection of just over 200 websites. 

However, Chameleon diverted just over half the ad revenue from these 200 websites. 

Kovter

  • Years active: 2014 – present
  • Estimated cost: Not known
  • Estimated infections: Unknown
Kovter botnet is a Decepticon

Another ad fraud botnet that has been leveraged by other bigger campaigns, Kovter is still out there. Like other long lasting malware, Kovter has managed to hide itself in longer lines of code, including Windows registry files.

It’s a particularly clever click bot which does its damage when the system is in ‘sleep’ or ‘standby’ mode. Kovter can also shut itself down whenever a system scan is started, making it hard to be found by standard virus scanners.

Methbot

  • Years active: 2015-2017
  • Estimated cost: $3 million per day at the peak
  • Estimated infections: 1,900 dedicated servers running 852,000 false IP addresses
Methbot was one of the biggest ad fraud click bots ever

The daddy of the ad fraud botnets, Methbot used a network of infected servers to spoof websites and perform fake video ad impressions. It’s thought that the gang behind Methbot were making anything up to $5 million each day in fake impressions.

Although as we’ve seen ad fraud is nothing new, the unique feature of Methbot was its ability to make fake inventory look like genuine premium inventory. 

The sheer volume of fraud being committed by Methbot grabbed headlines and spooked the digital marketing community. Today, it’s still the benchmark for click fraud campaigns… Although, it’s cousin, 3ve, was soon to replace Methbot as the biggest fraud network.

3ve (Eve)

  • Years active: 2017-2018
  • Estimated cost: At least $29 million
  • Estimated infections: 1.7 million hacked computers
3ve was a monster botnet, much like ED209 from Robocop

As Methbot was being shut down by the FBI, a new and bigger ad fraud network came to the fore. 3ve was actually run by most of the same team behind Methbot, but the complexity of this ad fraud scheme was truly impressive.

Mostly using existing ad clicker bots such as Kovter and Miuref, 3ve was capable of even more video impressions. And, another clever development, 3ve managed to work despite the ads.txt – actually using ads.txt lists to spoof inventory.  

It turned out that a team of Russian and Kazakh nationals were behind this huge scam, making an estimated $29 million from the efforts. 

HyphBot

  • Years active: 2017
  • Estimated cost: Up to $1.2 million per day
  • Estimated infections: At least 500,000 computers in the US, UK, Netherlands and Canada
Is HyphBot the most gangsta click bot ever?

Another ad clicker that managed to get around ads.txt, HyphBot was thought to be around 3 or 4 times bigger than Methbot.

By using the ads.txt lists of websites, HyphBot was able to create composite domain names which were used for fake impressions on video ads, mostly. Again, the organisers behind HyphBot used a network of existing botnets to use as their ad clickers.

HyphBot ran for a relatively short length of time before it fizzled out, but not before making off with millions of dollars in defrauded ad revenue. 

DrainerBot

  • Years active: 2018 – 2019
  • Estimated cost: Not known
  • Estimated infections: At least 10 million infections when discovered
DrainerBot vs Mechagodzilla

A case in point that click fraud and ad fraud continues to evolve; DrainerBot was a malware botnet embedded in a software development kit (SDK) found in Android devices. This SDK was used to build hundreds or thousands of apps, many of which contained the DrainerBot code.

DrainerBot got around Google’s Play Protect checks by only becoming active after an update, where the bulk of the malware was found. The app would then commit ad fraud by viewing video ads in the background, using lots of data and battery power in the meantime. 

By using up to 10GB a month, and rinsing battery life in double quick time, the malware earned the name DrainerBot. All apps identified as containing DrainerBot have been removed from the Play Store, but it is possible this ad clicker bot is still out there…

404Bot

  • Years active: 2018 – present
  • Estimated cost: At least $15 million
  • Estimated infections: Not known
Is the 404 Bot inspired by Japanese Manga series Gundam?

Another botnet targeting the weak links in ads.txt, this bot clicker spoofs domain inventory in a similar way to HyphBot. In fact, it seems that 404 Bot is capable of passing several different preventative techniques and continues to deplete marketing funds as we speak.

With damage at an estimated $15 million as of February 2020, how many more millions will be siphoned off by 404 Bot?

Tekya

  • Years active: 2019-2020
  • Estimated cost: Not known
  • Estimated infections: At least 56 apps, over 1 million downloads
Tekya and Ultron are both evil botnets

This ad clicker bot was hidden in at least 56 Android apps, mostly games aimed at children but with a few utilities apps in there too. Similar to DrainerBot, the Tekya malware would engage with ads without the knowledge of the device user. 

With over 1 million downloads, it’s thought that Tekya was committing it’s brand of ad fraud since at least May 2019. Tekya used a clicker malware called Haken, which is able to mimic user behaviour and click on both visible and invisible ads on a device screen.

The future of click fraud and ad fraud

Apps and software committing click fraud continue to be a problem for marketers, with no end in sight despite several initiatives to stop the problem.

These click bots are capable of committing an incredible volume of fraud in a relatively short amount of time, with even the ad fraud campaigns lasting a few months raking in hundreds of thousands of dollars. 

For marketers looking to block fake engagement from these click bots, it’s often a case of playing catch up. So what can you do?

There are ways you can manually block click fraud on your PPC ads. But, the easiest way is to use anti-click fraud software such as ClickCease. And, with a free trial, you can take a look at exactly how many fake clicks your ads are getting before you sign up. 

Make sure your PPC ad spend is only being seen by genuine human eyes, not clicker bots or click farm workers.

Find out more about click fraud in our in-depth guide

Oli

Since working for ClickCease, Oli has become something of a click fraud nerd, and now bores people at parties with facts about click farms and internet traffic stats. When not writing about ad fraud, he helps companies to optimise their marketing content and strategy with his own content marketing business.

Add comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Block click fraud from ruining your campaign!

Most discussed