Chameleon Clickjacking Botnet Stealing $6 Million a Month

Chameleon, a botnet that appears designed to take advantage of online advertisers via clickjacking, is estimated to be prying loose $6 million a month via a distributed cluster of hijacked PCs.

This week, said that it had discovered the botnet, made up an estimated 120,000 PCs. Botnet operators create Websites with hosted third-party ads, then send the botnet-infected PCs to view the sites and click the ads, fooling the advertisers that there is genuine interest in their products. The owners of the sites—202 of them, according to the security firm—then get paid from the so-called “click fraud.”

Nine billion ad impressions have been served to the botnet on a monthly basis, with an automated click through rate of just 0.02 percent—most likely to avoid being detected via anomalous behavior. Mouse movements are randomly simulated, too.

At least 65 percent of the traffic through the affected sites is from the botnet, said, adding that it had worked with display ad exchanges and client platforms to determine what was (or wasn’t) legitimate traffic. There’s one big tipoff: all of the bot browsers report themselves as being Internet Explorer 9.0 running on Windows 7.

The impressions and clickthroughs have cost online advertisers a total of $6.2 million per month. About 95 percent of them are from U.S. IP addresses, with the most affected states being located in California and Texas. Individual bots within the Chameleon botnet run on host machines with Microsoft Windows as the operating system. Bots access the Web through a Flash-enabled Trident-based browser that executes JavaScript, according to

The firm said that it had been tracking the Chameleon botnet since December, but only in February did the botnet’s full extent become apparent. The effort to avoid ad companies’ monitoring software demonstrated a great degree of sophistication, said.

Last month, Microsoft and Symantec took down the “Bamital” botnet, which affected at least 1.8 million IP addresses and generated at least three million fraudulent clicks, according to Symantec. Over eight million PCs were affected, said security blogger Brian Krebs. In total, Chameleon is expected to cost advertisers 70 times more money than Bamital, estimated. has posted a blacklist of the 5,000 worst IP addresses on its Website, providing a valuable guide for anti-malware companies to tell which PCs might be affected. Chameleon is still operational—but now, it’s out in the open.


Image: scyther5/