This Is What It Looks Like When A Click-Fraud Botnet Secretly Controls Your Web Browser
Advertisers waste about $7 million a month on fraudulent clicks from bots (networks of PCs infected with malware). Botnet controllers can sell their army of infected PCs to anyone who wants to generate tons of "traffic" - i.e. unethical web publishers who run advertising but don't have any real people clicking on their ads.
Spider.io obtained a copy of "Zeus," a notorious piece of "root-kit" software that nestles inside the system of any infected PC. Once a machine is infected with Zeus, you can instruct the malware to do your bidding by having it open a hidden Internet Explorer window in which the malware secretly visits web sites and clicks on ads, all without the innocent user knowing what is going on. Spider.io claims about 3.6 million PCs in the U.S. are infected with Zeus.
The ingenious part is that the botnet copies your real browsing behavior so that it looks like its fake clicks are real human clicks.
First, a Spider.io researcher began using the infected machine. The researcher browsed a series of shopping websites to build up a bunch of tracking cookies, the little bits of code that advertisers use to target you on the web. Here is the researcher looking at wine glasses on the John Lewis department store web site:
Next, the researcher goes to buy a train ticket. The cookies - which are legit - do their job, and the researcher is targeted with John Lewis ads on National Rail web site:
But the PC is infected with Zeus, and the botnet controller can see the PC being used on his or her controller dashboard:
The controller then sends a command to the infected machine. This one is called "Ghost Visitor":
Even though the machine is infected and under the control of a botnet commander, the PC's Task Monitor shows no unusual activity:
But there is a hidden browser window that is active, controlled by the botnet:
Scroll down the list of hidden windows, and there it is:
Spider.io has redacted the name of the web site being displayed by the hidden window. When Spider.io clicked to show the window, here is what they got. The company anonymized the web page, too, but it's clearly some sort of cat video library. Note that the cookies, which were legit but have now been hijacked by Zeus, are triggering John Lewis ads at the top of the page:
The Zeus malware then reproduces the mouse activity that the human researcher did on previous web pages, and clicks on an ad:
Boom! John Lewis must now pay the cat web site owner for serving an ad - even though the click was completely fake.
Here is a video of the whole process: