On Tuesday Harvard Business School professor Ben Edelman blogged about a new form of click fraud that may be almost as insidious as the Bahama Botnet discovered by Click Forensics last year.  Andy Greenberg did a wonderful job summarizing and translating Professor Edelman’s findings into layman’s terms in his Forbes.com article Google Faces The Slickest Click Fraud Yet.

This new fraud scheme is really a compilation of  “Fraudster Greatest Hits,” but with a new twist.  It consists of spyware being installed on unsuspecting user’s machines and clicking on paid links to generate fees for the spyware author and intermediary ad networks, some of whom are complicit and most of whom are not.  Nothing new there.  The spyware that Prof. Edelman tracked, though, was smart enough to click on paid links for sites that the user is already visiting.  What a perfect way to disguise fraud as legitimate traffic!  A visitor to Finishline.com doesn’t notice that a pop-up browser was redirected to Finishline.com, because that’s where he intended to go in the first place.  Visitors browse, shop, and maybe even buy something (convert) at a perfectly normal rate.  The traffic looks completely legitimate to Finishline.com, and to Google.

So, is this it?  The perfect click fraud scheme that successfully foils all attempts at discovery and generates untold riches for the perpetrators?  Well, not quite.  First off, it was discovered.  Prof. Edelman’s blog has been written about on Forbes.com and his discovery will certainly garner some attention in Mountain View.  That’s good, because the spyware perpetrator, TrafficSolar, should be prevented from continuing this fraud.

But it was probably a fairly low-volume scheme to begin with.  It’s limited to machines of users that are infected with spyware who also visit select Google advertisers.  So some small percentage of the organic visitors to Finishline.com generated a click fee instead of visiting for free.  It’s a problem, but probably not a huge one.  What would make it more serious is if there were another version of the spyware that simply clicks on paid links in the background without the user’s knowledge (a la the Bahama Botnet).  By mixing the fraudulent clicks with the real end-user visitor behavior and conversions, a fraudster like TrafficSolar could give the impression of being 100% legitimate.

The concluding recommendation in Prof. Edelman’s report is for Google to fire InfoSpace, its ad syndication partner.  A better solution would be for Google and InfoSpace to deal only with reputable partners who provide verified, audited clicks to ensure advertisers get what they pay for.  Check our client list for some worthy candidates.

While it’s easy to see how the recently discovered Bahama Botnet is cheating online advertisers out of free traffic and generating fraudulent fees for complicit parked domains and ad networks, it’s important to note that ad providers are being victimized as well.

We have conducted additional research into the behavior of the Bahama botnet and found that it acts as a sort of perverted “Robin Hood” among ad networks by robbing ad revenue from the top-tier players and delivering fraudulent traffic to second and third-tier ad networks and publishers.  Chief among the ad provider victims is the one with the biggest treasure to take: Google.

As we’ve seen in this video, when an infected user performs a search on Google.com, they get some peculiar results.  This is because, unbeknownst to the user, they’re not actually on Google.com.  The page looks like Google.com and even says Google.com in the browser’s address bar.  So how can it not be google.com?  The perpetrators behind the Bahama Botnet are able to steal traffic and revenue from Google using a trick called “DNS poisoning”.

All computers on the internet identify themselves with a set of numbers that we know as an IP address.  Computers can find one another using these numbers.  However, humans find words easier to remember than long sets of numbers, so the Domain Name System (DNS) was devised to translate these numbers into names.  When “Google.com” is typed into a browser, the computer uses DNS to translate that domain name into a number.  In the case of Google.com, that number happens to be 74.125.155.99.  The DNS method for translating domain names into numbers is fundamental to making the internet work.

However, in the case of the Bahama Botnet, this DNS translation method gets corrupted.  The Bahama botnet malware causes the infected computer to mistranslate a domain name.  Instead of translating “Google.com” as 74.125.155.99, an infected computer will translate it as 64.86.17.56.  That number doesn’t represent any computer owned by Google.  Instead, it represents a computer located in Canada.  When a user with an infected machine performs a search on what they think is google.com, the query actually goes to the Canadian computer, which pulls real search results directly from Google, fiddles with them a bit, and displays them to the searcher.  Now the searcher is looking at a page that looks exactly like the Google search results page, but it’s not.  A click on the apparently “organic” results will redirect as a paid click through several ad networks or parked domains — some complicit, some not.  Regardless, cost per click (CPC) fees are generated, advertisers pay, and click fraud has occurred.

An interesting side effect of this whole scheme is that while the perpetrators of the Bahama Botnet turn organic or natural search listings into paid links, they don’t seem to alter the final destination domains of the sponsored links that show up on a search results page.  When an infected user clicks on one of these sponsored links, they always seem to end up on the correct destination domain (so clicking a sponsored link for Dell.com, for example, will always take an infected user to dell.com).  However, due to the DNS poisoning, a click on a sponsored link will never go through Google’s own click-counting redirect.  Google never sees, and therefore never charges for, that click.   The advertiser gets a free click, instead of a paid one, and Google loses the revenue.  The Bahama Botnet strikes again.