Beware the “Bahama” Botnet

By Steve O'Brien, Click Forensics

Just when you thought the fraudsters couldn’t get any more sophisticated … they surprise you.  Click Forensics researchers have recently discovered one of the most advanced sources of click fraud we’ve seen.  We’ve named it the “Bahama botnet” because when first discovered it was redirecting traffic through 200,000 parked domain sites located in the Bahamas.  It has since been reprogrammed to redirect through other intermediate sites hosted in Amsterdam, the U.K., and even San Jose, CA, but the Bahama name stuck.

Interestingly, the Bahama botnet appears to be closely related to the recent spate of “scareware” attacks, such as the one perpetrated against The New York Times digital site just a few days ago, reported by ComputerWorld.  Visitors to the NYTimes.com site were greeted with a pop-up informing them their computer was infected and directed to an authentic-looking site where they could install a program called Personal Antivirus.  Users duped into purchasing this phony software were then infected with a Trojan that gave control of their computer to an unknown third party that we now know to be part of a gang in the Ukraine.

We believe the Bahama botnet is controlled by this same gang, or their neighbors down the street.  More info about the “Ukranian fan club” can be found in Dancho Danchev’s excellent security blog.  We’re pretty sure the Bahama botnet is related to the Ukranian fan club and the NYTimes.com scareware because they each phone back to a bogus “Windows protection” domain located on the same IP address.

These sources were originally identified by the Black Hat community, but we believe Click Forensics is the first to discover the breadth and depth of click fraud being perpetrated by the botnets it controls.  And the botnet is incredibly insidious.

The video below shows the botnet in action, caught on film and narrated by Click Forensic’s own Matt Graham, the infected machine will exhibit some really funky behavior.  Clicks on organic search results are redirected through a series of parked domains across a number of top-tier ad providers (search engines and ad networks), eventually arriving at an advertiser unrelated to the original query.  The user is momentarily confused, but likely just performs the search again, this time with easy success.



What makes the botnet so insidious is that it operates intermittently so that the user doesn’t really know that anything is wrong.  Additionally, it can operate independently of the user because the authors appear to be building a large database of authentically user-generated search queries.

[caption id="attachment_718" align="alignright" width="500" caption="Seemingly random clicks discovered through advanced pattern detection"][/caption]

And because the queries come from many different machines (IPs) across a broad segment of the Internet population, it is very difficult to find and identify these clicks as fraudulent.  But these auto-generated clicks were not able to disguise themselves well enough to escape Click Forensics anomaly detection algorithms.  Additionally, large amounts of non-converting clicks were spotted in the data we receive from advertisers.  From there, our team was able to hone in on the source of the Bahama botnet.

The Doctors Are ‘In’

In February of 2006, Click Forensics was just getting off the ground.  We recognized the problem of click fraud was a big problem and that building a solution would be tough technical challenge.

[caption id="attachment_709" align="alignright" width="248" caption="Dr. Tuzhilin with the Click Forensics founding team in 2006"][/caption]

We decided to bring in an expert in the field of data mining and anomaly detection in click stream analysis.  That expert was Dr. Alex Tuzhilin.  Alex spent the day with us at our offices in San Antonio and provided us a road map for the evolution of our approach to identifying invalid traffic.  His contribution to us at that point was essential and provided tremendous insight.  After reviewing our approach he commented,

"Click Forensics has good data and this is a source of their advantage over the search engines. My role is to work with them to refine the scoring methodology to improve accuracy. Their approach is to incorporate as much data as possible to improve accuracy. The search providers simply don't have enough data to have the most accurate approach."

Shortly after Alex visit to Texas, I received a call from the lead attorney representing Lane’s Gifts in their lawsuit against Google.  He said, “Tom, I just hired your Ph.D!”  He told me that the judge in that case had mandated that an outside consultant review Google’s click fraud detection methods and publish paper on the efficacy.  Alex spent many weeks at Google and wrote an insightful paper detailing their approach, ultimately describing it as “reasonable”.  The Lane’s Gift case was settled and Alex returned to his role as a professor at NYU.

Today we are thrilled to announce that Dr. Tuzhilin has joined the Click Forensics Advisory Board.  Few individuals have had more real-world and academic experience in the measurement of online traffic quality and its effect on advertisers.  His work has helped move the industry toward standards and cooperation.  After visiting us in Austin a few weeks ago and meeting with our technology team, Alex said,

“Having firsthand experience reviewing the state of the art in ad network traffic management, I was impressed with the level of technical sophistication the team exhibits and I was impressed with the directions they are going, Click Forensics has played a leadership role in helping the online advertising community to monitor quality of clicks on ads, including identification of invalid clicks. I look forward to continuing to work with the team.”

In additional to Dr. Tuzhilin, we have also added Dr. William Wright, the Chief Scientist at Paypal.  Dr. Wright, a Ph.D. in cognitive science, is an artificial intelligence expert who has built numerous analytical and predictive systems over the past twenty years, including the Falcon Credit Card Fraud Detection System at HNC, the Advanced Fraud Screen system at CyberSource, and numerous adversarial modeling systems for the U.S. military.  After spending time with our team, William concluded,

“Click Forensics has built a strong team of developers using very advanced machine learning and data mining techniques to detect fraud and measure traffic quality, they are pioneering a new area of fraud detection and I’m finding it satisfying to work closely with them on leveraging lessons from my past experience combating credit card and banking fraud.”

One out of every five employees at Click Forensics hold a Ph.D.  Adding the expertise of Alex and William dramatically enhances our ability to meet our goal of providing the state of the art approach to traffic quality management.  I appreciate their contributions and look forward to benefiting from their knowledge in the future.

Tom Cuthbert