In the world of cybercrime, botnets can be very damaging to your ad campaigns. They can waste your ad budget, skew your marketing metrics, and frustrate your staff.
They’re also responsible for highly damaging DDoS (Distributed Denial-of-Service) attacks, which can severely disrupt the flow of traffic to a server, service, or network.
And the bad news is the growth of botnets continues at a rapid pace. The very first botnet, MaxiTE, was investigated in 2003, and since then, they’ve grown in both size and scope.
It’s a risky business for ad fraud rings, as botnets can be expensive to run. However, for the owners, it can result in massive earnings.
But it’s crucial advertisers understand how they operate, so they can protect their campaigns and fight back.
So, let’s take a tour through the history of these often malicious bots and how they may evolve in the future.
What is a botnet?
A botnet is a series of infected internet-connected devices that are controlled by a cybercriminal. Cybercriminals use them to start botnet attacks, which can lead to:
- Unauthorized access to devices
- Private information leaks
- Data theft
- DDoS attacks
A bot herder (the hacker controlling the bots) can manage all the attacks remotely with a touch of a button.
Devices become infected through malware and viruses, which come through emails and other programs. For example, they may hide the malware within legitimate software.
Once infected, a device essentially becomes a zombie computer. Botnets will amass a huge amount of these zombie computers, often in the tens of thousands.
And the operators in control of the botnets (the botmasters) can send commands to devices, ordering them what to do.
Commands can include visiting a website or infecting computers on a network.
These can be damaging activities, which is why it’s so essential for modern advertisers to understand the range of threats they present.
What are botnets used for?
There is a wide range of malicious activities botnets can get up to. Some of the most common and disruptive are listed below.
DDoS attacks
Distributed denial-of-service attacks can affect any business. It works by flooding a web server with an influx of traffic, all of which comes from multiple sources.
The idea is to overwhelm the system or server and prevent real users from accessing it.
DDoS attacks can take down entire servers and websites, resulting in significant financial losses. Cybercriminals can then make money by blackmailing businesses into paying them to stop the attack.
A common analogy for a DDoS attack is a crowd of people in front of a shop entrance, like during a Black Friday shopping spree, effectively blocking many other customers.
Bitcoin mining
Cryptocurrency mining botnets can also make many millions by doing their mining on infected devices. The process requires an extensive network of computers, which is why botnets are so efficient at it.
With malware, botmasters can use other computers to mine Bitcoins faster than just using one.
A botnet will use a device’s processing power, electricity, and internet bandwidth to mine for cryptocurrency. When completed on a massive scale, it can prove very lucrative and cost-effective for criminals.
An example is the Smominru miner botnet from May 2017. It mined 9,000 Monero tokens worth $2.6 million and did it in the space of just nine months. In the process, it infected 526,000 Windows hosts using a hidden vulnerability.
Viewbotting
Viewbots affect streaming services such as Twitch and YouTube. Some streamers want to use the platform to become rich and famous but often lack viewers. By using bots, they can manage this pretty quickly.
The practice involves inflating a live stream view count using non-human bots. This way, the stream can appear to have more people in it than it does.
It can be an attractive prospect for new streamers trying to make a start on Twitch. The bots will join a stream and send fake messages into chat.
But it costs advertisers money as they lose their ad budget to robots rather than human eyes.
Ad fraud
Botnets are very effective at clicking on paid ads, so they’re a particular menace in the world of click fraud.
Botmasters can use them to click on paid ads, which costs advertisers lots of money and makes it hard for Google to detect.
Some botnets will even indiscriminately click ads on their own websites, which are part of Google AdSense.
By doing this, the fraudsters receive a slice of the revenue from advertisers spending money on Google display ads.
How botnets make money with click fraud
Making money from botnets is actually quite simple.
And fraudulently clicking ads is one of the most lucrative and extensive sources of income for botnet owners. It can create as much as $20 million in profit each month.
In comparison, a DDoS attack using a network of 30,000 bots can generate around $26,000 a month.
This is why ad fraud is the main target for botmasters, as the annual income from illegitimate clicks is significantly higher.
Ad fraud rings can easily exploit the system ad networks use to make money off advertisers, such as Google Ads.
To cheat the system, botmasters use two main monetization tactics to earn money.
Device-driven fraud
This involves the use of devices such as PCs, phones, and other internet connected devices. Fraudsters will fake real ad impressions using these devices.
To do this, they can command their bots to impersonate humans. For example, they’ll show real interest in ad campaigns on real websites on a device that’s apparently human owned.
By imitating human behavior, they can escape detection from advertisers and ad networks. So, it’s very difficult to often realize traffic may be fake. As it may appear to be from legitimate traffic sources.
And botmasters can manage content-driven fraud from tens of thousands of devices, sending traffic to publisher websites.
This means many real acquisition companies end up mixing fraud bots in their traffic with real humans, as they’re paying to drive more traffic to a publisher’s site.
Content-driven fraud
Content-driven fraud is a complex process, but one that can result in a lot of money for fraudsters.
It actively involves a lot of time and creativity from botmasters. They create fake websites (“ghost sites”) and apps to sell them to advertisers, who think their ads are displaying on high-quality websites.
It’s time-consuming but relatively straightforward for botmasters. All they need to do is:
- Make a new website
- Sign-up to Google AdSense (Display Ads)
- Send fake bot traffic to the ads from their network of devices
- Generate fake clicks
In return, fraudsters can expect 66% of ad revenue from Google. If they repeat this process across hundreds of websites, they can make a significant amount of money.
Some fraudsters, to get a higher CPC, will even spoof reputable websites. We saw this with the 3ve botnet, which forwarded prestigious domain traffic to unsuspecting sources.
And, unfortunately, the more money advertisers have to reach a wider audience, the more chance there is of becoming a victim to botnets.
It not only costs publishers money, but it affects their reputation with advertisers.
How botnets make money with YouTube fraud
Botmasters can also target YouTube as another way to make money. The process is similar to click fraud and requires some work from the fraudster’s side.
They follow these steps:
- Making a YouTube channel in a high-paying niche
- Getting accepted as a YouTube partner
- Using botnets to send fake traffic to videos
- Receiving pay for the ad revenue
Again, it allows fraudsters to create many fake accounts and direct fake traffic to their videos to create income.
As advertisers generally pay more money for video ads, this scheme can rake in plenty of money with usually little effort.
Past ad fraud rings
Over the years, there has been plenty of ad fraud rings with a massive network of bots to support their money-making goals. Here are some of the most notable ad fraud rings discovered so far.
Methbot
Internet security experts HUMAN (formerly WhiteOps) investigated the Methbot operation in 2016.
It’s the biggest ad fraud network ever discovered, an operation running in Russia. At its peak, the network was making some $3-5 million a day.
Methbot had created 200-400 million fraudulent views with over 500,000+ fake IPs.
The discovery helped fraud fighters to understand the construction of fraud rings, which helps in the long-term battle against botnets.
DrainerBot
Discovered in early 2019, DrainerBot is a particularly sneaky example of how botnets operate.
It was earning over $40,000 a day and had infected over one million Android phones. The devices were compromised after users downloaded certain apps, which then infected their Android.
The user wouldn’t know about it, but the bot continuously runs video ads hidden in the background of the device. This would drain the batteries of the phone incredibly quickly, hence the name DrainerBot.
It’s still unclear who’s responsible for this botnet, but since its discovery, infections have been going down.
HyphBot
Hyphbot was a sophisticated fraud ring that was making fraudsters over $200,000 every day.
The fraud ring was discovered when Adform noticed irregularities with its traffic. They then went on to find supposedly high-quality traffic was from fake sources and the URLs led to dead 404 pages.
And so, of course, it turned out a vast bot network was behind the issue. It had over 500,000 IP addresses in the US alone, making money by selling fake traffic to advertisers.
Many advertisers were paying up to $14 per 1,000 impressions for fake traffic, which generated the fraudsters plenty of cash.
3ve
HUMAN labeled 3ve (pronounced as “Eve”) as the “mother of all botnets.”
It was a vast and sophisticated botnet ring, which was eventually stopped after months of detective work and arrests.
The botnet itself involved some 1.7 million IP addresses and compromised over 700,000 active computers. Users were unaware their machines had the botnet infection as it operated silently in the background.
The botnet operated between 2013 and 2018 and used the malware packages Boaxxe and Kovter to infect PCs.
The network of bots would then generate fake clicks on online ads, costing advertisers over $30 million.
The fraudsters were taking in revenue from over 60,000 fake advertising accounts, with over three billion fake ads launching daily.
Eventually, HUMAN, Google, the Department of Homeland Security, and the FBI collaborated to shut the fraud ring down.
This was also with help from organizations such as Adobe, Trade Desk, Amazon Advertising, and McAfee.
The scale of the effort to end the 3ve operation clearly indicates just how much of a crisis botnets can become.
The lowdown on Botnets
Botnets are big business for online fraudsters, so it’s unlikely they will be going away any time soon. They’ll continue to grow in sophistication and infect many more devices in the years ahead.
They can earn fraud rings millions of dollars and can run undetected for many years. They’re difficult to detect even for cybersecurity experts such as HUMAN.
And they can take the combined efforts of major organizations and security services to bring them to an end.
Unfortunately, every advertiser is at risk of ad fraud from botnets.
If you’re running ads on Google’s display network, then it’s inevitable. But with careful planning, you can avoid most of the issues they present. Being proactive is the first step.
It’s the best approach advertisers can take to protect their campaigns.
And you can get a head start with our 60,000+ strong exclusion list for fraudster apps, channels, and websites.
Adding these to your Google Ads account will protect your brand, help you avoid irrelevant websites, improve ROI, and prevent illegitimate clicks.
Take the first step today to protect your ad campaigns from malicious botnets and download our free exclusion list below.
Say goodbye to wasted ad spend
Discover how Lunio can help you eliminate invalid ad clicks and maximize paid media performance