Home / Blog / Click fraud - a highly lucrative business

Click fraud - a highly lucrative business

Posted on 07/28/2015, by INCIBE

Various studies have indicated that bots currently constitute over half of all global Internet traffic. Certain reports, such as "The 2015 Bad Bot Landscape Report" released by Distil Networks, Inc, even divide traffic into legitimate and malicious traffic, concluding that the latter is growing at an alarming rate.


The boom that Cloud Computing has experienced in recent times has been one of the most significant factors driving this phenomenon, instigating a considerable increase in the use of malicious bots, given that any user can access such a system very cheaply. In this regard, the service provider of this kind that has generated the highest network traffic of malicious bots is Amazon.

But what is the main reason these malicious bots are used? The answer is evident: motives are primarily financial and they are directly related to advertising.

To get an idea of the amount of money that changes hands around the world from investment in advertising, you only need to cast your eye over the data concerning the United States, where it is calculated that more than 180 billion dollars was invested in this area in 2014, with a significant slice of that going on Internet campaigns. This is why there is a whole host of bots designed specifically to simulate human traffic, thus earning money, which is known as "click fraud". It is estimated in some reports that 6.3 billion dollars are made through this fraudulent activity each year. A significant portion of this traffic is generated by bots installed in systems which have already been compromised, by either brute force attacks, capitalizing on their vulnerabilities, social engineering attacks, etc. It works as follows:


  • Firstly, cybercriminals use different methods, such as watering hole attacks, spear phishing, brute force attacks, etc. to compromise users’ devices.
  • Once they gain access to the devices, they establish a multitude of periodic connections with advertising services that provide pricing models such as "pay per click" (PPC), "pay per action" (PPA) and "pay per impression" (PPI).
  • All this generated traffic leads to numerous financial gains for various agents, such as companies that specialize in attracting traffic to different web sites, companies that have advertising on their web pages, etc.

The majority of botnets has these types of functionality, with some of the better known being: Zeus, ZeroAccess, Chameleon, etc.

At INCIBE, we take the battle against botnets and the problems they bring about very seriously, which is why we allocate a significant proportion of our resources to fighting them, mitigating their effects, etc. An example of this is our Anti-Botnet Service, which provides users with mechanisms for identifying whether a botnet-related security incident has been detected from their Internet connection, with information and links to tools which can help to disinfect devices.

In addition, we have a series of threat prevention and identification systems which enable us to detect multiple attacks with our sensors, meaning we are able to find scams related to, among other things, "click fraud".

We recently detected an attack of this kind, which affects six different providers, namely Amazon, Google, Microsoft, Softlayer, VolumeDrive and Pakistan Telecom Company Limited.



In this case, the target page is located in a server in the United States and it only has a banner in the centre. The attack consists of accessing computers with weak credentials by brute force and then using them as an intermediary to access the banner periodically. In doing this, some of the protective measures put in place to prevent these types of scams and report them later on can be avoided.

Over the course of the last month we have identified 352 attacks related to this practice from 209 different IP addresses belonging to the six aforementioned providers, who we have notified so they can take the steps they deem necessary.


Generally speaking, these bots are highly sophisticated and behave similarly to a human user. They are able to, among other things, resolve CAPTCHAs, create profiles and publish content on social networks, avoid security controls, etc. which makes it even more difficult to identify and block them.

Far from coming to a standstill, this practice is constantly evolving and has even reached mobile devices, in such a way that more and more malicious applications expressly designed with this objective in mind are appearing in app stores. An example of this is the following code, which is part of a piece of malware that BitDefender catalogues as Android.Trojan.Clicker.H:


One of the latest global estimate maps was created by Acquisio using data from 2013 and it shows the percentage of fraudulent traffic by country, with Spain on 4%.


Over the years the problem has become so severe that even Internet giants such as Google have had to take measures against it. For example, Google Analytics created filters to enable traffic generated by bots or spiders to be excluded from their statistics.

There is also a series of additional measures that can help confront "click fraud" attacks:

  • Limiting clicks by IP address by setting a maximum number of clicks over a given time period, setting a minimum visit length for the connection to be valid, etc.
  • Blocking traffic originating from countries that do not form part of the advertising campaign’s target market.
  • Using reputation lists that identify IP addresses involved in this type of malicious activity and then blocking them.
  • Monitoring the advertising campaign.
  • Creating alert mechanisms if a campaign surpasses a certain threshold, for instance the number of times the advert is clicked divided by the number of times it is shown (CTR).
  • Using specific tools for identifying these sorts of attack.