Beware the “Bahama” Botnet

Just when you thought the fraudsters couldn’t get any more sophisticated … they surprise you. Click Forensics researchers have recently discovered one of the most advanced sources of click fraud we’ve seen. We’ve named it the "Bahama Botnet" because when first discovered it was redirecting traffic through 200,000 parked domain sites located in the Bahamas. It has since been reprogrammed to redirect through other intermediate sites hosted in Amsterdam, the U.K., and even San Jose, CA, but the Bahama name stuck.

Interestingly, the Bahama botnet appears to be closely related to the recent spate of "scareware" attacks, such as the one perpetrated against The New York timesdigital site just a few days ago, reported by Computer World. Visitors to the NYTimes.com site were greeted with a pop-up informing them their computer was infected and directed to an authentic-looking site where they could install a program called Personal Antivirus. Users duped into purchasing this phony software were then infected with a Trojan that gave control of their computer to an unknown third party that we now know to be part of a gang in the Ukraine.

We believe the Bahama botnet is controlled by this same gang, or their neighbors down the street. More info about the We’re pretty sure the Bahama botnet is related to the Ukranian fan club and the NYTimes.com scareware because they each phone back to a bogus "Windows protection" domain located on the same IP address.

These sources were originally identified by the Black Hat community, but we believe Click Forensics is the first to discover the breadth and depth of click fraud being perpetrated by the botnets it controls. And the botnet is incredibly insidious.

As seen in this video of the botnet in action, caught on film and narrated by Click Forensic’s own Matt Graham, the infected machine will exhibit some really funky behavior. Clicks on organic search results are redirected through a series of parked domains across a number of top-tier ad providers (search engines and ad networks), eventually arriving at an advertiser unrelated to the original query. The user is momentarily confused, but likely just performs the search again, this time with easy success.

What makes the botnet so insidious is that it operates intermittently so that the user doesn’t really know that anything is wrong. Additionally, it can operate independently of the user because the authors appear to be building a large database of authentically user-generated search queries. And because the queries come from many different machines (IPs) across a broad segment of the Internet population, it is very difficult to find and identify these clicks as fraudulent. But these auto-generated clicks were not able to disguise themselves well enough to escape Click Forensics anomaly detection algorithms. Additionally, large amounts of non-converting clicks were spotted in the data we receive from advertisers. From there, our team was able to hone in on the source of the Bahama botnet.

Beware the “Bahama” Botnet