How click fraud works
Hackers can carry out click fraud in two ways. The first is to set up a website that is never intended to be viewed by humans and populating it with "word salad," meaningless content made up of random words. These sites are filled with ads that are placed through automated ad exchanges, and the hackers then point their botnets at the site to generate clicks and "earn" advertising revenue.
The second way is simply to wait for a real site owner to contact them and pay to send a certain amount of bot traffic to their site. "A site owner may have sold a million hits to advertisers but only got a quarter of that. Do they give the money back? Never!," says Kaminski. "They will call someone with a botnet and the site will get those extra three quarters of a million hits," he explains.
Click fraud fuels malvertising
To build botnets to carry out ad fraud, hackers need to compromise a steady stream of new machines to replace those that are no longer effective. To do this they are increasingly turning to malvertising: placing advertisements containing malware that infects viewers onto well known, reputable web sites, according to Kelley Mak, an analyst at Forrester Research.
"Malvertising will either deliver ransomware or compromise the machine and recruit it to a botnet," Mak says. "Malvertising is fuelled by click fraud because a malicious ad can recruit the new bots hackers need, and malvertising is cheap if all you are trying to do is infect people, not actually sell them something."
Hackers are more likely to use malvertising to recruit bots for click fraud rather than to deposit ransomware on a machine, Mak believes. One reason is that it's easier to generate money from click fraud, but, more importantly, there's also much less risk involved for the hackers. "People hit by click fraud will probably not try and enlist the help of a government agency - they are more likely just to try and block bots, so the risk is substantially lower," he explains.
Threat to the Internet
There's little doubt that click fraud represents a major headache for CIOs and their security teams, but Kaminsky believes that this type of hacker activity harms businesses in a more fundamental way: it plunges the economics of the Internet as a business tool into doubt.
"The entire ecosystem is threatened by click fraud," he says. "Why? Because it costs money to build the web, and if money is being siphoned off by people who aren't building it, then legitimate businesses have to work harder and harder for less and less."
Sign up for CIO Asia eNewsletters.