Report: Marketing Cybercrime to Infect America

In January 2013, IPCopper researchers took an in-depth look into the behavior and vulnerabilities of computers infected by trojans and malware (collectively botnets). The researchers identified that many botnet masters use their stables of enslaved computers for the simple purpose of generating fraudulent “clicks” on online advertisements. The crux of the research was to find out whether by running an online ad campaign one could easily target and access these infected and compromised computers and the extent to which these computers were vulnerable to takeover by a new targeted infection(s), for example, to change their behavior from “clicking” on online ads to something more sinister, such as theft of documents, access to bank accounts and various forms of identity theft and espionage.

Online banking is of particular concern, since many banks rely on systems that prompt the user for additional security information when using a new computer. Once a computer is “authorized,” however, only the user’s login name and password are required to login. Since malware operates from the bank account owner’s very own preauthorized computer, a hacker would be able to spy out the login name and password and conduct transactions through the victim’s very own computer – with all the appropriate credentials.


In the course of their research, the researchers identified three distinct types of click botnets. All three types, however, had one commonality: when in operation, they lowered the victim computer’s defenses and allowed practically unlimited access during the delivery of clicks.

The main difference between the three types was the level of sophistication. The most sophisticated had the ability to use the victim’s machine as a gateway, i.e. the botnet master could be somewhere in Asia, but hide his or her location by funneling traffic through a machine located in the United States. In addition, 50% of the botnet-infected machines in this third group also had their web cams enabled (but not their microphones), giving the botnet master a way to conduct video surveillance of the computer users.

The researchers were able to identify the owner’s of about 10% of the botnet-infected machines in this study. They included government organizations at city, county and state levels; small, medium and large businesses in all industries; medical facilities and dental offices; utilities; schools, community colleges and universities; telecom companies; software / IT firms — even one of the largest US telecoms offering managed firewall services.

Had the IPCopper researchers had malicious intentions, they could have taken over compromised computers at a rate of 1,200-1,800 per hour (equivalent to over 0.5 million per month) through the vehicle of an online ad. As described in the report, the researchers estimate that botnet infections affect upwards of 15% of the computers connected to the internet in the US.

Realistically, until the botnet market conditions change, the problem is only going to get worse. With the current economic incentives coupled with no risk, botnet masters will continue to add to their botnet stables, computer by computer. The victims will continue to bear the brunt of dealing with botnet infections, fixing their computers and facing the possibilities of both data and monetary loss.

US consumers and businesses combined spent roughly $17.7 billion on cybersecurity software in 2011, $7.4 billion of which was for antivirus programs. As our research has shown, these billions of dollars have not prevented the proliferation of botnet-infected machines; rather, it lulls consumers and businesses into a false sense of security, with disastrous consequences (consider the recent revelations that The New York Times was spied on for years by Chinese nationals).

The only way to deal with the problem of click botnet infections is by having evidence of the problem. Hackers are increasingly interested in hiding their malware from computer users, in order to prolong its operation as long as possible. Oftentimes the only way to clue in on such an infection is with an external device capable of capturing the botnet transmissions continuously over a period of at least six months or a year, such as a standalone packet capture appliance, since it is folly to assume that there is an automated system that can easily and reliably detect the presence of this kind of malware.

How IPCopper conducted this research

For simplicity, IPCopper researchers created a simple online ad with very narrow, specific text precisely identifying what would display when clicking on the ad. Specifically, the ad invited people to watch a video on cybercrime. Clicking on the text ad led to a simple webpage with an image inviting the viewer to play the advertised video on cybercrime, entitled “$37 Billion Stolen.” The landing page displayed only one prominent element, which was the video without any explanatory text or other information to distract from the stated purpose of the ad: to view a video on cybercrime.

IPCopper selected an online ad company to run the ad campaign by visiting a number of major US news websites, and choosing one of the online ad companies found publishing “sponsored listings” on these news sites.

IPCopper gathered data using a purpose-built system for this research including an IPCopper USC4060 packet capture appliance connected to a cluster of DACSL-based servers and a Windows 7 PC (default settings) connected to the internet through an IPCopper USC1030 packet capture appliance.

Get the Full Report

Report: Marketing Cybercrime to Infect America