The Bahama botnet, a sophisticated network of compromised computers that is wreaking click-fraud havoc among advertisers, is also snatching away Web traffic and revenue right from under the nose of mighty Google, Click Forensics said Thursday.
As part of its design, the Bahama botnet not only turns ordinary, legitimate PCs into click-fraud perpetrators that dilute the effectiveness of ad campaigns. It also modifies the way these PCs locate certain Web sites through a malicious practice called DNS poisoning.
In the case of Google.com, compromised machines take their users to a fake page hosted in Canada that looks just like the real Google page and even returns results for queries entered into its search box.
It's not clear where the Canadian server gets these results. What is evident is that the results aren't "organic" direct links to their destinations but are instead masked cost-per-click (CPC) ads that get routed through other ad networks or parked domains, some of which are in on the scam and some of which aren't.
Sometimes the click takes the user to the advertiser's Web site and sometimes it takes him elsewhere, Matt Graham, a Click Forensics risk analyst, said in an interview.
"Regardless, CPC fees are generated, advertisers pay, and click fraud has occurred," Click Forensics reported on Thursday in a blog posting.
As a result, a user who intended to run a legitimate search on Google ends up unknowingly involved in a click-fraud scam in which Google also loses Web traffic and ad revenue. Google isn't the only provider of CPC ads being affected.
In this way, the Bahama botnet is creating a twisted Robin Hood-type situation by robbing traffic from major ad providers and routing it to smaller players.
This novel blend of DNS-routing redirection and click fraud is an emerging trend among scammers. "As click fraud gets more sophisticated, DNS poisoning is going to be key to how click fraudsters make money," Graham said.
Click fraud usually affects marketers running CPC ad campaigns on search engines and Web sites. When a person or a computer clicks on a CPC ad with malicious intent or by mistake, that is considered click fraud.
However, if the ad provider, whether it be Google, Yahoo, Microsoft or another vendor, doesn't detect the click as fraudulent, it still gets to charge the advertiser for the click.
Thus, in this case, the Bahama botnet is affecting both parties -- the advertisers and the ad providers as well.
In some cases, however, the click doesn't register with the ad network, so the advertiser gets the click and the resulting traffic free, Graham said.
"One of the sophisticated traits of this piece of malware is that it limits the number of ads a single visitor can click on," Graham said, adding that it does this to prevent that particular computer from becoming suspicious to click-fraud filters. "If you do too much clicking, it will stop sending you through ad networks."
The motivations behind click fraud are varied. For example, in order to harm rival companies, a competitor may click on their CPC ads, knowing that they are having to pay for clicks that will not generate them any business.