Chameleons, botnets and click fraud

Chameleon. Image from ShutterstockA number of news reports have picked up on a blog post by Spider.io, where the web analytics firm discusses a botnet that can allegedly generate more than $6 million a month through bogus clicks on online adverts.

The botnet, which Spider.io has dubbed “Chameleon”, is said to have infected some 120,000 computers in the United States.

When I read stories like this, the first thing I want to check is – “Do Sophos products detect this? Are we protecting our customers?”

In this particular case, that’s hard to definitively answer – because Spider.io hasn’t shared much in the way of information. The name isn’t used by other anti-virus products, and no checksums or VirusTotal links are offered in the blog post.

Sign up to our free newsletter.
Security news, advice, and tips.

Last year, SophosLabs researchers published a technical paper about ZeroAccess – a botnet which had managed to infect over its lifespan nine million PCs around the world, but was now one million computers strong and mostly based in the United States.

ZeroAccess-infected computers plotted on a world map

Like “Chameleon”, ZeroAccess earns money through click fraud (and it also has a sideline in Bitcoin mining) – we estimated at the time it was making almost $3 million per month.

Could Chameleon and ZeroAccess be related? We’d need more information from Spider.io to be definite about that, but there certainly seem to be similarities.

The good news is that Chameleon is said to be quite unstable, and causes regular crashes and computer slowdown – something which might alert users to there being a problem with their PC.

What is click fraud?

Click fraud is a type of crime that abuses pay-per-click (PPC) advertising to make money through fake or fraudulent clicks on ads.

PPC advertising is a very big industry on the internet. It is operated by large networks such as Google Adwords, Yahoo! Search Marketing and Microsoft adCenter and generates billions of dollars a year.

PPC works by a fee being paid when a link or ad is clicked. Typically advertisers (who have something they want to sell) place ads on website operators’ websites and pay the website owner a fixed amount each time the ad is clicked.

The advertising networks act as middlemen – the advertiser registers with the advertising network, the network places the ad on the publisher’s website and when a click happens the advertiser pays the network and the publisher.

Click fraud is the process of clicking an ad for the purpose of generating a charge without having any interest in the subject of the ad.

Money can be made by becoming an affiliate for the advertising networks and by pretending to be a publisher that is placing the ad on their website.

If a malicious actor can generate clicks on ads and get paid each time a click takes place then they can make money. If they can generate a large number of clicks without the advertising network realizing the clicks are fraudulent then there is potential to make a large amount of money. In many ways a botnet is ideal for generating a large number of clicks.

Further reading: The ZeroAccess Botnet:
Mining and Fraud for Massive Financial Gain

In all probability, Sophos products do already detect the “Chameleon” threat.

As ever, our advice is to keep your wits about you and your systems secure and updated.

That doesn’t just mean running an up-to-date anti-virus program – you should also ensure that you are installing the latest operating system patches, and security updates for other frequently exploited programs such as Java, Adobe Flash and Adobe Reader.

Thanks to James Wyke and Fraser Howard of SophosLabs for their assistance.

Chameleon image from Shutterstock.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.