Chameleons, botnets and click fraud

Filed Under: Botnet, Featured, Malware

Chameleon. Image from ShutterstockA number of news reports have picked up on a blog post by, where the web analytics firm discusses a botnet that can allegedly generate more than $6 million a month through bogus clicks on online adverts.

The botnet, which has dubbed "Chameleon", is said to have infected some 120,000 computers in the United States.

When I read stories like this, the first thing I want to check is - "Do Sophos products detect this? Are we protecting our customers?"

In this particular case, that's hard to definitively answer - because hasn't shared much in the way of information. The name isn't used by other anti-virus products, and no checksums or VirusTotal links are offered in the blog post.

Last year, SophosLabs researchers published a technical paper about ZeroAccess - a botnet which had managed to infect over its lifespan nine million PCs around the world, but was now one million computers strong and mostly based in the United States.

ZeroAccess-infected computers plotted on a world map

Like "Chameleon", ZeroAccess earns money through click fraud (and it also has a sideline in Bitcoin mining) - we estimated at the time it was making almost $3 million per month.

Could Chameleon and ZeroAccess be related? We'd need more information from to be definite about that, but there certainly seem to be similarities.

The good news is that Chameleon is said to be quite unstable, and causes regular crashes and computer slowdown - something which might alert users to there being a problem with their PC.

What is click fraud?

Click fraud is a type of crime that abuses pay-per-click (PPC) advertising to make money through fake or fraudulent clicks on ads.

PPC advertising is a very big industry on the internet. It is operated by large networks such as Google Adwords, Yahoo! Search Marketing and Microsoft adCenter and generates billions of dollars a year.

PPC works by a fee being paid when a link or ad is clicked. Typically advertisers (who have something they want to sell) place ads on website operators' websites and pay the website owner a fixed amount each time the ad is clicked.

The advertising networks act as middlemen - the advertiser registers with the advertising network, the network places the ad on the publisher's website and when a click happens the advertiser pays the network and the publisher.

Click fraud is the process of clicking an ad for the purpose of generating a charge without having any interest in the subject of the ad.

Money can be made by becoming an affiliate for the advertising networks and by pretending to be a publisher that is placing the ad on their website.

If a malicious actor can generate clicks on ads and get paid each time a click takes place then they can make money. If they can generate a large number of clicks without the advertising network realizing the clicks are fraudulent then there is potential to make a large amount of money. In many ways a botnet is ideal for generating a large number of clicks.

Further reading: The ZeroAccess Botnet:
Mining and Fraud for Massive Financial Gain

In all probability, Sophos products do already detect the "Chameleon" threat.

As ever, our advice is to keep your wits about you and your systems secure and updated.

That doesn't just mean running an up-to-date anti-virus program - you should also ensure that you are installing the latest operating system patches, and security updates for other frequently exploited programs such as Java, Adobe Flash and Adobe Reader.

Thanks to James Wyke and Fraser Howard of SophosLabs for their assistance.

Chameleon image from Shutterstock.

, , ,

You might like

One Response to Chameleons, botnets and click fraud

  1. the dealmaster · 930 days ago

    There are sweatshops in India that hire women to sit around and click all day. Bunch of crap that is.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley