Massive Click Fraud Case Unearthed in our Laboratory

Here we provide specific details about a widespread botnet still operating. As many as 50% of all advertisers may be victims, albeit with a low frequency. It is connected with a particular search distribution partner on the largest search engine network. We will call it Spiralup, although its real name is different. Their brand is associated with spyware, though they have clearly added click fraud to their areas of focus.

1. Their traffic has been growing exponentially over the last few years, according to Alexa (see graph below). Note that Alexa can’t always discriminate between real and fake traffic. Software (AlexaBooster) is available which allows a user to artificially inflate Alexa rankings.
   
2. Note two sharp dips in early 2006 and 2007 (see graph below).
   
3. In 2006, the browser distribution was different, with more Firefox, possibly indicating a network of human beings paid to click.
   
4. In 2007, the browser distribution shifted, favoring Internet Explorer, as they employ a botnet programmed specifically for IE but not for other browsers.
   
5. They continually add new advertisers to their target list, but rarely generate more than 3 clicks per day per advertiser. Newly infected computers are assigned to advertisers recently added to their list.
   
6. Advertisers accepting clicks from foreign countries, and small advertisers, are hit hardest.
   
7. A portion of their traffic is real, a portion of it is bogus, generated by botnets (clicking agents attached to viruses), and a portion of it comes from human beings paid to click according to a pre-specified schedule.
   
8. Because they have infected so many computers, they are able to use a very large pool of IP addresses, though the traffic skews towards international, and some specific IP blocks and foreign transparent proxies are widely used.
   
9. Their traffic patterns are associated with unrealistic variances and they generate an extremely high proportion of bogus conversions.
   
10. Below is a table with four sample clicks:
    
    
    
    • 13/May/2007:08:58:54, query=data+marts, IP=xxx.139.16.154
      
    • 02/May/2007:04:31:47, query=on+line+shopping+sears+canada, IP=xxx.55.121.2
      
    • 06/Jan/2007:02:22:23, query=malpractice, IP=xxx.115.106.226
      
    • 13/Feb/2007:19:33:17, query=fort+myers+mesothelioma+lawyers, IP=xxx.152.21.8
      
    
    Details:
    
    
    
    • Each click is from a different advertiser.
      
    • Each click has a Google gclid tag.
      
    • The time zone is from the advertiser log.
      
    • The first click was billed at full price (even days later, the charge did not disappear). It resulted in a bogus conversion. It also triggered an HTTP request on the target page for a blank stylesheet.
      
    • This means that the botnet is a parasite of Internet Explorer, and does not have its own code to connect to the Internet, but rather relies on Internet Explorer to do so.
      
    • All four clicks have IE 6 as a user agent, as one would expect.
      
    
    

Spiralup's exponential traffic growth: