A sophisticated network of zombie computers has served to highlight the questionalble practices used by websites to inflate their traffic numbers and make advertisers pay over the top fees.

Chameleon Botnet
The Chameleon botnet, linked to a central command and control server, is serving up to 9 billion ad impressions per month. (Credit: Reuters)

The way in which ads are bought and sold on the web has come under scrutiny after it was releaved that a huge poportion of ad impressions across over 200 websites were generated by zombie PCs rather than humans.

The Chameleon botnet, which is comprised of 120,000 infected PCs, is the first to be uncovered which targets online display advertising on such a large scale. According to UK-based web security firm Spider IO which uncovered the botnet, it is costing advertisers $6.21 million (£4m) every month.

Among the companies affected were BMW, Bank of America, Crest and Virgin. Spider first noticed anomalous web traffic associated with Chameleon in December and has been tracking it ever since.

The botnet drives traffic to a specific cluster of 202 websites which attract 14 billion ad impressions every month - nine billion of which come from the botnets. On average advertisers are paying $0.69 CPM to serve display ad impressions to the botnet.

A botnet is a network of infected PC which is controlled remotely and has been traditionally used to send spam emails or send huge volumes of traffic to a specific website in what is known as a denial of service attack. The 120,000 infected PCs in the Chameleon botnet are all located in the US.

But who is making money from this?

According to PaidContent, many of the websites in the cluster targeted by Chameleon bots are owned by the AlphaBird ad network. In a piece on ghost sites and suspect publishers beginning to populate the web, AdWeek says just 13 writers are employed by AlphaBird to populate its 80 domains.

These domains cover such disparate topics as sports, fashion and celebrity gossip. These 13 writers manage to generate 8 billion ad impressions each month according to the company's COO Justin Manes.

However AlphaBird denies using the Chameleon botnet to artificially inflate its readership figures.

Manes spoke to The Verge after Spider IO's research was published, saying AlphaBird uses cheap text ads to drive traffic to its sites. Manes claimed that one of the companies it bought text ads from unwittingly employed a contractor that was using the botnet. Manes said AlphaBird has now ceased all text ad purchasing.

Display advertising on the web is becoming an increasingly murky world where ghost sites, ad exchanges and middle men make things highly complex. The system normally works like this.

Each time you visit a specific website - say a department store - it will place a file on your browser known as a cookie which will be used when you visit another unconnected site later on to show you an ad for the department store.

The store pays depending on how many people see the ad or how many click on them.

In the case of the Chameleon bots, they first direct the infected PC to the department store as normal, before going to one of the 202 websites on its network.

The bots click on the ads displayed on this site for the department store - at a rate similar to typical human behaviour. Advertisers like BMW, Bank of America and Virgin will pay the websites for these impressions despite never being seen by human eyes.

This problem is made possible as a result of how display ads like this are sold online.

Ad exchanges

Companies use automated platforms to buy and sell ads in real time through online exchanges where publishers (like AlphaBird) invite marketers (like BMW) to bid in order to put ads on their websites.

The publishers then get paid whenever the ad is seen or in some cases clicked on.

Spider IO says the Chameleon botnet is sophisticated, replicating normal user engagement in terms of the path users take to a website. However further analysis of the behaviour of this botnet shows the traffic generated is highly homogenous.

Each individual PC visits the exact same set of websites and when Spider IO mapped where the bots 'clicked' on each ad, the results show a "uniformly random" click pattern, which never happens with ads outside the botnets cluster of websites.

One advertising executive who spoke to the Guardian on condition of anonymity said:

"It's not just the 202 sites mentioned in Spider's research. Many other sites are being affected by other botnets. Some of these publishers may not be 100 percent at fault. It is possible that they may be unwitting pawns in someone else's fraud scheme. Regardless, they are huge beneficiaries of that behaviour, whether they are aware of it or not. And any publisher experiencing a huge growth in traffic should take responsibility for knowing where that traffic originates."