London-based startup Spider.io, which helps publishers and advertisers identify legitimate web traffic, has discovered a ring of more than 120,000 hijacked computers that have been flooding websites with fake traffic and in turn costing advertisers more than $6 million per month, the company said in post on its blog. Called the Chameleon botnet, this cluster of computers typically generates more than nine billion illegitimate ad impressions across 202 websites monthly.
Spider.io, which said it has been tracking the Chameleon botnet since December 2012, found that 95% of the machines involved access the internet from residential IP addresses in the United States. Each bot within the network of computers resembles a group of web users concurrently visiting one the 202 implicated websites. In a typical month, the botnet accounts for at least seven million ad-exchange cookies.
The Chameleon botnet is "sophisticated" because its bots mimic human web activity, Spider.io said. Bots in Chameleon click on ads at an average rate of 0.02%, for example. The average click-through rate for humans is between 0.02% and 0.04%. The bots also generated mouse traces that mirrored how humans typically peruse the web.
But Spider.io said it was able to identify this web traffic as fake because of the homogeneity of the traffic it was observing in the aggregate. All of the Chameleon bots were accessing websites via Internet Explorer 9.0 on Windows 7 and would visit the same 202 websites. The bots would routinely crash, causing a sudden, massive decrease in the number of visitors on a given site. Spider.io said this pattern of abrupt drops in traffic is typical of botnet schemes and alerted the company that the traffic may be simulated.
Spider.io did not identify which publishers were receiving Chamelon botnet traffic, but it did list 5,000 IP addresses associted with Chameleon here.