Click fraud continues to run rampant across the Internet through hijacked machines predominantly on residential IP addresses. Spider.Io CEO Douglas de Jager exposes the gritty details of malware-driven advertising fraud in an attempt to bring attention to what he calls systemic failures in display advertising.
de Jager explains the ease in which botnets like Zeus spread easily, and how advertisers continually waste money and put their brands in jeopardy.
Experts estimate that Zeus -- arguably the most infamous rootkit malware developed originally for banking fraud -- has reportedly infected somewhere around 3.6 million PCs across the U.S. Helping advertisers better understand the mechanics of malware-driven advertising fraud, de Jager said Spider.io, an anti-malware company for online advertisers, to prove a point wrote its own Zeus malware it calls GhostVisitor, which impersonates a real Web site visitor targeted by display ads.
GhostVisitor is a Windows executable file that opens an invisible Internet Explorer window, borrows the cookies of the PC owner, visits target URLs sent from the command-and-control server, and replays real mouse traces and real click events across the target Web pages. The process makes it easy to see how click fraud occurs in the hands of a botnet, wasting advertising dollars and precious time.
The disruptive and fraudulent program consists of fewer than 100 lines of common programming computer code and can be deployed with a couple of clicks in all machines connected to a command server. The simplicity of the exercise has already led to the commoditization of Zeus-powered traffic, complete with a black market for this type of traffic, according to de Jager.
He explains that when a target Web page has been opened, GhostVisitor replays previously recorded mouse traces and clicks, giving the appearance of a real Web site visitor engaging with ads, complete with a realistic click-through rate. The mouse traces and click events are sent to the browsers. The traffic comes from residential IP addresses with real user cookies and real mouse traces and click events.