Botnet Costing Display Advertisers over Six Million Dollars per Month

(mods, I put this here for lack of definite placement - please move if applicable, thanks)

Botnet Costing Display Advertisers over Six Million Dollars per Month

The Botnet known as Chameleon is fleecing big $$$ through exploits via Microsofts’s Internet Explorer.
Spider.io has written very detailed information regarding these vulnerabilities.

On the 1st of October, 2012, we disclosed to Microsoft the following security vulnerability in Internet Explorer, versions 6–10, which allows your mouse cursor to be tracked anywhere on the screen—even if the Internet Explorer window is minimized. The vulnerability is particularly troubling because it compromises the security of virtual keyboards and virtual keypads.

Whilst the Microsoft Security Research Center has acknowledged the vulnerability in Internet Explorer, they have also stated that there are no immediate plans to patch this vulnerability in existing versions of the browser. It is important for users of Internet Explorer to be made aware of this vulnerability and its implications.
The vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month.

That’s right, even when your IE browser window is minimized, the exploit allows tracking of your mouse curser. Isn’t that neat? The can of worms this could imply is astounding – maybe they will have you clicking on illegal porn and other nefarious sites and then that could literally be used as evidence against a person. All because some people just aren’t satisfied with the results of their advertising campaigns so they force additional clicks – click jacking.

spider.io has observed the Chameleon botnet targeting a cluster of at least 202 websites. 14 billion ad impressions are served across these 202 websites per month. The botnet accounts for at least 9 billion of these ad impressions. At least 7 million distinct ad-exchange cookies are associated with the botnet per month. Advertisers are currently paying $0.69 CPM on average to serve display ad impressions to the botnet.

14 billion ad impressions? In the famous words of Keanu Reeves ‘whoa’!
Clickity click (expletives here)
The list of blacklisted IP addresseses are here: LINK

There are two other points in Microsoft’s post which we believe are important to clarify.
Firstly, the post includes an ambiguous sentence: “There are similar capabilities available in other browsers.” It is important to clarify that other browsers do not leak mouse-cursor position outside of the browser window in the way that Internet Explorer does.

In the grand scheme of things, $6 million is probably only a drop in the financial bucket, but I find it disturbing because most likely a vast majority of people use these vulnerable products and are not aware of the potential consequences.
Source: Spider.io

To note, even current version of IE 10 fall into the vulnerable status according to Spider.io.

On the 1st of October, 2012, we disclosed to Microsoft the following security vulnerability in Internet Explorer, versions 6–10

I'm glad I gave up on IE long ago and haven't looked back - much.

After a bit of reading, if I understand this right, we're talking about two separate issues...

1. That a hacker may gain access to the state of your mouse, if you're using Internet Explorer.
eg, X and Y position, whether the left button is pressed at that moment, etc...
(This hypothetical hacker would NOT be able to take over your mouse and click where they want to.)
It has been suggested that this is a security flaw, because one might possibly then gain access to the position of the mouse while you log onto a "virtual" keyboard on the screen, as many banks do.
Security experts discout this threat as so unlikely as to have probably never happened, and probably never will.


2. Bots, such as Chameleon, are clicking on ads.
Advertisers can see that "something is up" with these bogus clicks because they dont behave in the same way that people click on them. They get blacklisted.


Cant see how the two issues are linked.
I dont think they are.

Originally posted by explorer14

Spider.io has written very detailed information regarding these vulnerabilities.

But you failed to link to.

www.spider.io...

but...

That’s right, even when your IE browser window is minimized, the exploit allows tracking of your mouse curser. Isn’t that neat? The can of worms this could imply is astounding – maybe they will have you clicking on child porn and other nefarious sites and then that could literally be used as evidence against a person. All because some people just aren’t satisfied with the results of their advertising campaigns so they force additional clicks – click jacking.

I think you're confusing two things.

The botnet, and the M$ exploit.

Neither are related in this case.

The botnet is just a smart method used to target adverts with a more human interaction style. It appears to be a very effective one that was able to avoid detection by automatic clickers.

The IE exploit is hilarious.



I am glad to say I don't use IE. Here is more info on it
iedataleak.spider.io...

has a demo. if you're vulnerable, it will show you.

--

Individual bots within the Chameleon botnet run on host machines with Microsoft Windows as the operating system. Bots access the Web through a Flash-enabled Trident-based browser that executes JavaScript.

But anyway, neither of these two things together, or apart, are going to have anyone busted for clicking on child porn... what sort of scare mongering is that?

And it's not the advertisers who want more clicks. It's the opposite, they're losing money because someone who is getting paid for clicks, is behind the botnet, milking millions.

So.. not sure.

the IE thing is hilarious tho, in 2013 M$ have such a flaw and basically go "Meh.."

reply to post by explorer14

through exploits via Microsofts’s Internet Explorer.

And IE does it again.

Really would you expect anything less from IE... it's the most annoying piece of crap ever made. HTML and JavaScript have been held back because of it and cross-browser compatibility is way harder than it needs to be. They need to completely scrap it and use Chrome as the default browser or something imo... I would prefer Firefox to be honest but we all know there's a much larger chance Microsoft could make a deal with Google.

Originally posted by winofiend

I think you're confusing two things.

The botnet, and the M$ exploit.

Neither are related in this case.

But anyway, neither of these two things together, or apart, are going to have anyone busted for clicking on illegal porn... what sort of scare mongering is that?
And it's not the advertisers who want more clicks. It's the opposite, they're losing money because someone who is getting paid for clicks, is behind the botnet, milking millions.
So.. not sure. (I agree)
the IE thing is hilarious tho, in 2013 M$ have such a flaw and basically go "Meh.."

Well, the botnet is taking advantage of the M$ exploit, so I'm not sure why they aren't related...

Bots generate click traces indicative of normal users. Bots also generate client-side events indicative of normal user engagement. They click on ad impressions...

Ads linked to virus's and malware/adware/spyware/ransomware are nothing new...

Yes, hilarity regarding IE for sure.

reply to post by explorer14


They're not related at all however.

You've quoted the part that explains the function of the bots. They emulate a users input on a web page, to fool any algorithm that may be put in place to detect automated clicking. It evades that.

The exploit simply allows a webpage to track a users mouse movements, and the state of certain keys on the keyboard. This does not equate to them moving your mouse and clicking the buttons.

It just means that, for example, if you had an on screen keyboard on your monitor and used your mouse to enter your password, they could, possibly, know what keys you pressed by overlaying an on screen keyboard and seeing where the click events occur.

Or if there was any webpage that put up a login portal that only accepted mouse clicks. This exploit could allow someone to capture your personal mouse movements for that page.

That's all.

The botnet is an entirely different thing that does not care about what your mouse is doing.

It's clever in that it has evaded any algorithms created to detect automated revenue clicking. So you don't write a script that sits on your webpage clicking on adverts 24/7 and creating false income. The botnet, did this, but from compromised computers anywhere in the world and using a trick that prevented its detection.

It did not record your mouse movements, and then click on anything.

I don't know where you get that they are related.

reply to post by winofiend


Thank you for the explanation - yes I get they are not 'related', I was more along the lines of they are functioning together 'related'... Holding hands does not = related!

I have mest with fire walls and found that
they are made to let a HOOK link be made to Every thing you install.

it was comodo fore wall. you can not do it now.
so They ALL work at this together.

Originally posted by buddha
so They ALL work at this together.

I tend to agree there may be some collusion(s) along the path.
Here is an interesting article discussing some of the tactics:

What are these ghost publishers up to exactly? Experts say their tactics are numerous. They can use bots to simply generate lots of impressions, which can then be sold to advertisers. They can have bots visit a particular brand’s website, then immediately visit their own properties

Most Suspect Web Publishers