Online investigators have exposed a network of hijacked computers responsible for defrauding advertisers of millions of dollars a month by falsifying billions of visits to websites and clicks on ads.
The so-called botnet scheme is the latest symptom of the increasing complexities and opacity in the Internet advertising business, as exchanges and networks replace traditional ways of buying online banners.
According to Spider.io, a London-based startup that sorts legitimate Web browsing from fraudulent behaviour, traffic from what it calls the "Chameleon" botnet accounts for almost two-thirds of the total visits to certain groups of websites. The publishers could then use the inflated number of page views to increase their advertising revenues, it said.
In a report published on Tuesday, Spider.io said the botnet was made up of 120,000 residential PCs in the U.S. that have been infected with a virus. Invisible to their owners, activity from these machines swallowed up 9 billion display ad "impressions" or views every month across a network of more than 200 sites, with sophisticated software even mimicking mouse movements and clicks to evade detection.
"It is difficult to imagine why one would run this type of botnet across a cluster of 202 sites other than to commit display advertising fraud," said Spider.io's chief executive, Douglas de Jager, in the report.
The publishers of the sites involved charge an average $0.69 per thousand ad impressions, meaning the botnet traffic is racking up costs to advertisers of around $6-million a month, Spider.io estimates.
Mr. de Jager said the scheme was just one of many that the online advertising industry had been fooled by – or chosen to ignore.
"We have already identified at least one other large and wholly distinct botnet – targeting a wholly distinct cluster of websites," he said.
Spider.io did not disclose the names of the site owners but suggested that they may control the botnets themselves or have purchased traffic from its operators.
The issue highlights the complexities of the Internet advertising business and will raise fresh questions about the controls put in place by ad technology providers.
The botnet's exposure also demonstrates the ever-changing tactics of cyber criminals. These networks of hijacked computers have traditionally been used to knock a website offline, sometimes demanding a ransom to bring it back, or to collect large numbers of credit card details.
But as online security improves and such attacks become easier to catch, botnets are being put to use in what might be seen as a "victimless" crime akin to insurance fraud – where the number of people losing money is so large, and the individual sums so small, that few will ever realize they have been ripped off.
According to Christian Carrillo, vice-president of innovation at DataXu, a digital advertising technology provider, the fraud may be hard to prosecute, even if its perpetrators were tracked down, due to the terms of trade in the online ad business.