Ad clicking bots have been a thorn in the side of PPC marketers since the start. These pesky automated troublemakers zap the budget of businesses and have become increasingly sophisticated in recent years. Today, click fraud costs advertisers more than $35 billion each year (and rising!).
We’ve recently been looking at some of the most infamous click bots right here on this blog.
In this post we’ll look at a list of the most famous click bot examples and ad fraud malware campaigns, and how they’ve progressed over the years.
What is a click bot?
Online bots are coded programs designed to perform an action, or variety of actions. Bots can be used for genuine and useful activities online, such as scanning websites for errors, collecting data (e.g; keyword research or traffic statistics) or automating tasks.
However there are plenty of ‘bad bots’ that can be easily found by unscrupulous people online, such as:
Click bots can be used to perform simple tasks like clicking on buttons, posting comments (spambots) or visiting websites (bot traffic). But, increasingly, developers are creating more sophisticated bots which can carry out more complex tasks and even mimic genuine user behaviour online. This can include ‘browsing’ a website, adding items to shopping baskets, chatting in live streams, or completing forms and downloads.
A botnet is a network of interconnected bot programs, which can perform tasks either individually or as a unit. These bots are often run from a command and control center (C&C) by a human operator. The bots themselves might be embedded on servers in a data center, or they can also be presented on infected user devices such as laptops and smartphones.
These are usually in the form of malware infected app downloads, browser extensions or virus installs on computers or portable devices. Increasingly these bots are able to access IoT devices too, such as connected TVs, smart fridges and more.
Once they’re in place, these devices can then be leveraged by the click bot to perform actions such as clicking on links, generating bot traffic for social media, engaging with websites and spamming or commenting.
This bot traffic an also be used for more malicious fraud such as distrubuting copies of themselves and spreading the virus, or performing cybercrime related activities such as denial of service (DDoS) attacks.
Bots can also mask their location by changing their IP addresses or simply hijacking the activity of genuine human users.
How do these click bots work?
In the case of PPC fraud, the focus is fraudulent clicks on ads (display, video or text/search results). These ads are normally embedded on a website owned by a fraudster.
The idea is that the fraudster then collects the payout for the clicks (or video impressions) on the ads that his site is hosting.
The bots themselves are technically a type of virus, or Trojan, usually embedded on an internet connected device such as computer, tablet, server or cellphone.
Once embedded on a device, they can then be either used as part of a network to click on these ads, en masse. Or, they can carry out localised click fraud, for example within an app (known as click injection or click spamming).
Whatever the technique, every ad click costs an advertiser, somewhere in the world, some money…
Mentions of click fraud have been occurring since at least the early 2000s, and pay per click has been a thing since around 1996. But when did click fraud, or ad fraud, start to become the problem it is today?
Click fraud pre-2006
Most mentions of click fraud before 2006 are related to the practice of hosting ads on a low quality site (or sites), and then clicking them en masse to collect the payout.
This tended to be quite simple, with fraudulent publishers signing up their low quality site for Google AdSense and then clicking the ads themselves (or hiring someone to do it for them).
Even in 2003 there are mentions of bots to click on these ads but much of the information is based on assumptions and partial research. And so, knowing there was a big problem with click fraud and ad fraud, Google employed a dedicated team to tackle the growing problem.
Competitor click fraud has also been a problem since the early days of pay per click, with the practice becoming commonplace today.
So, it was just a matter of time before click bots started to proliferate and become a bigger problem…
- Years active: 2006
- Estimated cost: $50,000
- Estimated infections: 100,000 computers
Back in 2006, Google spotted some malicious software that was used to ‘conduct low-noise click fraud attacks against syndicated search networks’.
Put simply, Clickbot A was targeting search results on sites that used Google to provide the sponsored results. It was thought that around 100,000 machines were linked up to power this ad clicking bot.
As the first mention of an actual ad clicker, Clickbot A is perhaps the first real proof of the existence of click fraud botnets.
Google estimated that Clickbot A was responsible for $50,000 worth of fraud. Pocket change for many of today’s enterprise marketers. But, as we’ll see, this was relatively small fry compared to those that would come after.
- Years active: 2007-2011
- Estimated cost: $14 million
- Estimated infections: 4 million computers (both Internet explorer and Apple devices)
Created and proliferated by a team of Estonians and Russians working as a company called Rove Digital, the DNS Changer scam is probably one of the first known court cases against an ad fraud bot bnetwork. Vladimir Tsastin was sentenced and convicted on charges of wire fraud and money laundering.
This botnet worked by infecting web browsers (usually Microsoft’s Internet Explorer) and then changing the web address on infected devices to domains owned by the gang. The browser would then display ads which would earn a commission for the Rove Digital fraudsters.
The DNS Changer botnet ran for around 4 years and, as well as ad clicking bots, there were sneaky features such as preventing anti-virus updates, which may have helped it run for even longer.
- Years active: 2013 – present
- Estimated cost: Unknown
- Estimated infections: Unknown
This bot, also known as Boaxxe, is more than just a click bot. As a Trojan, often delivered via dodgy attachments such as fake documents, Miuref has been used in a variety of online fraud attacks.
Most famously, Miuref was used to devastating effect as part of the 3ve botnet campaign (more on that shortly). But it can also be used to remotely mine Bitcoin, steal data and take advantage of security flaws.
Although it has been identified and can be removed by antivirus software, Miuref continues to be a problem and proliferates.
It’s unclear exactly how much financial damage has been caused by Miuref, as it is often used in conjunction with other botnets. And, as it isn’t specifically an ad fraud bot clicker, it’s financial impact will be in the multiple billions.
- Years active: 2012 – present
- Estimated cost: Not known
- Estimated infections: 500,000+ machines
Stantinko was originally spotted as a malware component in Chrome extensions, which were actually online security extensions. These affected software programs were then capable of performing what is essentially ad injection, which is where the software performs clicks or views on hidden ads on behalf of the fraudsters.
However, this bot is quite versatile and is capable of installing additional adware, gaining access to WordPress and Joomla sites and even performing searches on Google.
The gang behind this botnet have managed to keep it going for so many years as the code for the bot is hidden within reams of legitimate code. Stantinko affects mostly Russia and Ukraine, but has also been found on systems outside of these areas.
- Years active: 2009 – 2013
- Estimated cost: $700,000 per year
- Estimated infections: Up to one million desktop machines
Discovered by Microsoft in early 2013, Bamital was a piece of malware that used a clever form of search hijacking to commit click fraud. Searchers on Bing, Yahoo and Google would click on search results but would be redirected to ads or pages with malware embedded in them.
Bamital flew under the radar for a while thanks to its ability to hide in web pages and be installed via ‘drive by’ downloads. That is where a site visitor receives an update or download, usually to their web browser without their knowledge, from an infected site.
The Bamital botnet was thought to be making anything up to $1 million per year for its operators.
- Years active: 2013
- Estimated cost: Around $6 million per day
- Estimated infections: 120,000 desktop machines
The Chameleon botnet was one of the first identified click bots to mimic user behaviour. It was also groundbreaking in that it targeted display ads, instead of text ads, which had been the standard until this point.
Despite these new developments, Chameleon was actually a relatively simple bot. It would perform a ‘uniformly random’ series of clicks and rollovers on a selection of just over 200 websites.
However, Chameleon diverted just over half the ad revenue from these 200 websites.
- Years active: 2014 – present
- Estimated cost: Not known
- Estimated infections: Unknown
Another ad fraud botnet that has been leveraged by other bigger campaigns, Kovter is still out there. Like other long lasting malware, Kovter has managed to hide itself in longer lines of code, including Windows registry files.
It’s a particularly clever click bot which does its damage when the system is in ‘sleep’ or ‘standby’ mode. Kovter can also shut itself down whenever a system scan is started, making it hard to be found by standard virus scanners.
- Years active: 2015-2017
- Estimated cost: $3 million per day at the peak
- Estimated infections: 1,900 dedicated servers running 852,000 false IP addresses
The daddy of the ad fraud botnets, Methbot used a network of infected servers to spoof websites and perform fake video ad impressions. It’s thought that the gang behind Methbot were making anything up to $5 million each day in fake impressions.
Although as we’ve seen ad fraud is nothing new, the unique feature of Methbot was its ability to make fake inventory look like genuine premium inventory.
The sheer volume of fraud being committed by Methbot grabbed headlines and spooked the digital marketing community. Today, it’s still the benchmark for click fraud campaigns… Although, it’s cousin, 3ve, was soon to replace Methbot as the biggest fraud network.
- Years active: 2017-2018
- Estimated cost: At least $29 million
- Estimated infections: 1.7 million hacked computers
As Methbot was being shut down by the FBI, a new and bigger ad fraud network came to the fore. 3ve was actually run by most of the same team behind Methbot, but the complexity of this ad fraud scheme was truly impressive.
Mostly using existing ad clicker bots such as Kovter and Miuref, 3ve was capable of even more video impressions. And, another clever development, 3ve managed to work despite ads.txt – actually using ads.txt lists to spoof inventory.
It turned out that a team of Russian and Kazakh nationals were behind this huge scam, making an estimated $29 million from the efforts.
- Years active: 2016
- Estimated cost: $300,000 per month in 2016
- Estimated infections: 10 million Android devices worldwide
This malware infection bought the problem of mobile app infections into the limelight. HummingBad was allegedly created by a Chinese advertising company, YingMob, to inflate the clicks on it’s ads (ad fraud). However the software was more sophisticated than simply being an ad bot clicker. It could also disguise the origin of the click and could potentially be used to install software on users devices without their knowledge.
Despite being uncovered and shut down in 2016, the malware resurfaced as HummingWhale in 2017, infecting over 20 apps on the Google Play store.
- Years active: 2017
- Estimated cost: Up to $1.2 million per day
- Estimated infections: At least 500,000 computers in the US, UK, Netherlands and Canada
Another ad clicker that managed to get around ads.txt, HyphBot was thought to be around 3 or 4 times bigger than Methbot.
By using the ads.txt lists of websites, HyphBot was able to create composite domain names which were used for fake impressions on video ads, mostly. Again, the organisers behind HyphBot used a network of existing botnets to use as their ad clickers.
HyphBot ran for a relatively short length of time before it fizzled out, but not before making off with millions of dollars in defrauded ad revenue.
- Years active: 2018 – 2019
- Estimated cost: Not known
- Estimated infections: At least 10 million infections when discovered
A case in point that click fraud and ad fraud continues to evolve; DrainerBot was a malware botnet embedded in a software development kit (SDK) found in Android devices. This SDK was used to build hundreds or thousands of apps, many of which contained the DrainerBot code.
DrainerBot got around Google’s Play Protect checks by only becoming active after an update, where the bulk of the malware was found. The app would then commit ad fraud by viewing video ads in the background, using lots of data and battery power in the meantime.
By using up to 10GB a month, and rinsing battery life in double quick time, the malware earned the name DrainerBot. All apps identified as containing DrainerBot have been removed from the Play Store, but it is possible this ad clicker bot is still out there…
- Years active: 2018 – present
- Estimated cost: At least $15 million
- Estimated infections: Not known
Another botnet targeting the weak links in ads.txt, this bot clicker spoofs domain inventory in a similar way to HyphBot. In fact, it seems that 404 Bot is capable of passing several different preventative techniques and continues to deplete marketing funds as we speak.
With damage at an estimated $15 million as of February 2020, how many more millions will be siphoned off by 404 Bot?
- Years active: 2019-2020
- Estimated cost: Not known
- Estimated infections: At least 56 apps, over 1 million downloads
This ad clicker bot was hidden in at least 56 Android apps, mostly games aimed at children but with a few utilities apps in there too. Similar to DrainerBot, the Tekya malware would engage with ads without the knowledge of the device user.
With over 1 million downloads, it’s thought that Tekya was committing it’s brand of ad fraud since at least May 2019. Tekya used a clicker malware called Haken, which is able to mimic user behaviour and click on both visible and invisible ads on a device screen.
And this isn’t all….
This list of click bots and ad fraud networks isn’t even definitive. We haven’t even mentioned Judy, a malware based ad clicker from South Korea who was allegedly distributed by an app developer to inflate their ad revenue. We’ve also not mentioned IceBucket or SourMint, both recent ad fraud botnets that have caused havoc.
In fact, many botnets go under the radar, skimming a bit of money here and there for small operators. These high profile ad click bots made headlines because they were so big, but most botnets don’t have a name or even run long enough for the authorities to find them.
Simply, the problem of ad fraud isn’t going anywhere soon because it’s just too easy for some sneaky developers to do.
The future of click fraud and ad fraud
Apps and software committing click fraud continue to be a problem for marketers, with no end in sight despite several initiatives to stop the problem.
These click bots are capable of committing an incredible volume of fraud in a relatively short amount of time, with even the ad fraud campaigns lasting a few months raking in hundreds of thousands of dollars.
For marketers looking to block fake engagement from these click bots, it’s often a case of playing catch up. So what can you do?
There are ways you can manually block click fraud on your Facebook, Bing and Google Ads. But, the easiest way is to use anti-click fraud software such as ClickCease. And, with a free trial, you can take a look at exactly how many fake clicks your ads are getting before you sign up.
Make sure your PPC ad spend is only being seen by genuine human eyes, not clicker bots or click farm workers.