skip to main content
10.1145/2660267.2660369acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Characterizing Large-Scale Click Fraud in ZeroAccess

Published: 03 November 2014 Publication History

Abstract

Click fraud is a scam that hits a criminal sweet spot by both tapping into the vast wealth of online advertising and exploiting that ecosystem's complex structure to obfuscate the flow of money to its perpetrators. In this work, we illuminate the intricate nature of this activity through the lens of ZeroAccess--one of the largest click fraud botnets in operation. Using a broad range of data sources, including peer-to-peer measurements, command-and-control telemetry, and contemporaneous click data from one of the top ad networks, we construct a view into the scale and complexity of modern click fraud operations. By leveraging the dynamics associated with Microsoft's attempted takedown of ZeroAccess in December 2013, we employ this coordinated view to identify "ad units" whose traffic (and hence revenue) primarily derived from ZeroAccess. While it proves highly challenging to extrapolate from our direct observations to a truly global view, by anchoring our analysis in the data for these ad units we estimate that the botnet's fraudulent activities plausibly induced advertising losses on the order of $100,000 per day.

References

[1]
G. Bonfa. Step-by-Step Reverse Engineering Malware: ZeroAccess / Max++ / Smiscer Crimeware Rootkit. http://resources.infosecinstitute.com/step-bystep-tutorial-on-reverse-engineering-malwarethe-zeroaccessmaxsmiscer-crimeware-rootkit, November 2010.
[2]
S. Contavalli, W. van der Gaast, Leach, and E. Lewis. Client Subnet in DNS Requests. https://datatracker.ietf.org/doc/draftvandergaast-edns-client-subnet/, 7 2013. RFC Draft.
[3]
N. Daswani and M. Stoppelman. The Anatomy of Clickbot.A. In Proc. HotBots, 2007.
[4]
V. Dave, S. Guha, and Y. Zhang. Measuring and Fingerprinting Click-spam in Ad Networks. In Proceedings of ACM SIGCOMM, 2012.
[5]
V. Dave, S. Guha, and Y. Zhang. ViceROI: Catching Click-Spam in Search Ad Networks. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2013.
[6]
J. Dupre. What is Cloaking and Why Do Affiliate Marketers Use It? http://justindupre.com/what-is-cloakingand-why-do-affiliate-marketers-use-it/, May 2010.
[7]
B. G. Edelman. Google Click Fraud Inflates Conversion Rates and Tricks Advertisers into Overpaying. http://www.benedelman.org/news/011210--1.html, Jan. 2010.
[8]
Federal Bureau of Investigation. International Cyber Ring That Infected Millions of Computers Dismantled. http://www.fbi.gov/news/stories/2011/november/malware_110911, Nov. 2011.
[9]
M. Giuliani. ZeroAccess, an advanced kernel mode rootkit. http://www.prevx.com/blog/171/ZeroAccess-anadvanced-kernel-mode-rootkit.html, Apr. 2011.
[10]
Google Ads: Ad Traffic Quality Resource Center Overview. http://www.google.com/ads/adtrafficquality/.
[11]
Google Inc. About smart pricing. AdWords Help, Apr. 2013.
[12]
Google Inc. Google Services Agreement for InfoSpace LLC. http://www.sec.gov/Archives/edgar/data/1068875/000119312514121780/d702452dex101.htm, March 2014.
[13]
Google Inc. How Google uses conversion data. AdWords Help, May 2014. https://support.google.com/adwords/answer/93148.
[14]
T. Greene. ZeroAccess bot-herders abandon click-fraud network. http://www.networkworld.com/news/2013/121913-zeroaccess-277113.html, Dec. 2013.
[15]
C. Grier et al. Manufacturing Compromise: The Emergence of Exploit-as-a-Service. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), October 2012.
[16]
H. Haddadi. Fighting Online Click-Fraud Using Bluff Ads. ACM SIGCOMM Computer Communication Review, 40(2):22--25, Apr. 2010.
[17]
F. Howard. Exploring the Blackhole exploit kit. http://nakedsecurity.sophos.com/exploring-theblackhole-exploit-kit/.
[18]
HSI seizes Silk Road underground black market website. http://www.ice.gov/news/releases/1310/131002baltimore.htm, 2013.
[19]
P. Ipeirotis. Uncovering an advertising fraud scheme. Or "the Internet is for porn". http://www.behind-the-enemy-lines.com/2011/03/uncovering-advertising-fraud-scheme.html, Mar. 2011.
[20]
Kaffeine. MagicTraffic : a look inside a Zaccess/Sirefef affiliate. http://malware.dontneedcoffee.com/2013/11/magictraffic-look-inside-zaccesssirefef.html,2013.
[21]
L. Kim. The Most Expensive Keywords in Google AdWords. http://www.wordstream.com/blog/ws/2011/07/18/most-expensive-google-adwords-keywords, July 2011.
[22]
C. Kintana, D. Turner, J.-Y. Pan, A. Metwally, N. Daswani, E. Chin, and A. Bortz. The Goals and Challenges of Click Fraud Penetration Testing Systems. In International Symposium on Software Reliability Engineering, 2009.
[23]
B. Krebs. Fake Antivirus Industry Down, But Not Out. http://krebsonsecurity.com/2011/08/fakeantivirus-industry-down-but-not-out/, August 2011.
[24]
B. Krebs. Reports: Liberty Reserve Founder Arrested, Site Shuttered. http://krebsonsecurity.com/2013/05/reports-libertyreserve-founder-arrested-site-shuttered/, 2013.
[25]
B. Krebs. ZeroAccess Botnet Down, But Not Out. http://krebsonsecurity.com/tag/zeroaccess-takedown/, Dec. 2013.
[26]
The Lote Clicking Agent. http://www.clickingagent.com/.
[27]
D. McCoy, H. Dharmdasani, C. Kreibich, G. M. Voelker, and S. Savage. Priceless: The role of payments in abuse-advertised goods. In Proceedings of the 2012 ACM Conference on Computer and Communications Security. ACM, 2012.
[28]
K. McNamee. Malware Analysis Report. Botnet: ZeroAccess/Sirefef. http://www.kindsight.net/sites/default/files/Kindsight_Malware_Analysis-ZeroAcess-Botnet-final.pdf, February 2012.
[29]
A. Metwally, D. Agrawal, and A. El Abbadi. DETECTIVES: DETEcting Coalition hiT Inflation attacks in adVertising nEtworks Streams. In WWW Conference, 2007.
[30]
A. Metwally, F. Emekçi, D. Agrawal, and A. El Abbadi. SLEUTH: Single-pubLisher attack dEtection Using correlaTion Hunting. In VLDB, 2008.
[31]
Microsoft, Yahoo! Change Search Landscape. http://www.microsoft.com/enus/news/press/2009/jul09/07--29release.aspx, July 2009.
[32]
B. Miller, P. Pearce, C. Grier, C. Kreibich, and V. Paxson. What's Clicking What? Techniques and Innovations of Today's Clickbots. In Proceedings of the 8th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA, 2011.
[33]
A. Neville and R. Gibb. ZeroAccess Indepth (Symantec Corporation White Paper). http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeroaccess_indepth.pdf, October 2013.
[34]
P. Pearce, C. Grier, V. Paxson, V. Dave, D. McCoy, G. M. Voelker, and S. Savage. The ZeroAccess Auto-Clicking and Search-Hijacking Click Fraud Modules. Technical report, EECS Department, University of California, Berkeley, Dec 2013.
[35]
Pricewaterhouse Coopers. IAB Internet Advertising Revenue Report: 2013 First Six Months' Results. http://www.iab.net/media/file/IAB_Internet_Advertising_Revenue_Report_HY_2013.pdf, October 2013.
[36]
E. Rodionov and A. Matrosov. The Evolution of TDL: Conquering x64.http://go.eset.com/us/resources/whitepapers/The_Evolution_of_TDL.pdf, 2011.
[37]
C. Rossow, D. Andriesse, T. Werner, B. Stone-Gross, D. Plohmann, C. J. Dietrich, and H. Bos. SoK: P2PWNED-Modeling and Evaluating the Resilience of Peer-to-Peer Botnets. In IEEE Symposium on Security and Privacy, May 2013.
[38]
L. Sinclair. Click fraud rampant in online ads, says Bing. http://www.theaustralian.com.au/media/clickfraud-rampant-in-online-ads-says-bing/storye6frg996--1226056349034, May 2011.
[39]
A. Tuzhilin. The Lane's Gifts v. Google Report.http://googleblog.blogspot.com/pdf/Tuzhilin_Report.pdf, 2005.
[40]
J. Wyke. The ZeroAccess Botnet: Mining and Fraud for Massive Financial Gain. http://www.sophos.com/enus/why-sophos/our-people/technicalpapers/zeroaccess-botnet.aspx, September 2012.
[41]
J. Wyke. ZeroAccess. http://www.sophos.com/en-us/why-sophos/ourpeople/technical-papers/zeroaccess.aspx, 2012.
[42]
F. Yu, Y. Xie, and Q. Ke. SBotMiner: Large Scale Search Bot Detection. In WSDM, 2010.

Cited By

View all
  • (2025)Towards Trustworthy AI-Empowered Real-Time Bidding for Online Advertisement AuctioningACM Computing Surveys10.1145/3701741Online publication date: 10-Jan-2025
  • (2024)Unveiling Collusion-Based Ad Attribution Laundering Fraud: Detection, Analysis, and Security ImplicationsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670314(2963-2977)Online publication date: 2-Dec-2024
  • (2024)No Easy Way Out: the Effectiveness of Deplatforming an Extremist Forum to Suppress Hate and Harassment2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00007(717-734)Online publication date: 19-May-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security
November 2014
1592 pages
ISBN:9781450329576
DOI:10.1145/2660267
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 November 2014

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. click fraud
  2. cybercrime
  3. malware
  4. measurement
  5. zeroaccess

Qualifiers

  • Research-article

Conference

CCS'14
Sponsor:

Acceptance Rates

CCS '14 Paper Acceptance Rate 114 of 585 submissions, 19%;
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)37
  • Downloads (Last 6 weeks)2
Reflects downloads up to 16 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2025)Towards Trustworthy AI-Empowered Real-Time Bidding for Online Advertisement AuctioningACM Computing Surveys10.1145/3701741Online publication date: 10-Jan-2025
  • (2024)Unveiling Collusion-Based Ad Attribution Laundering Fraud: Detection, Analysis, and Security ImplicationsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670314(2963-2977)Online publication date: 2-Dec-2024
  • (2024)No Easy Way Out: the Effectiveness of Deplatforming an Extremist Forum to Suppress Hate and Harassment2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00007(717-734)Online publication date: 19-May-2024
  • (2024)Behavioral authentication for security and safetySecurity and Safety10.1051/sands/20240033(2024003)Online publication date: 30-Apr-2024
  • (2024)Behavioral Authentication for Security and SafetyUniversal Behavior Computing for Security and Safety10.1007/978-981-97-9014-2_8(225-272)Online publication date: 16-Sep-2024
  • (2024)Poisoning Attack in Machine Learning Based Invalid Ad Traffic DetectionNetwork Simulation and Evaluation10.1007/978-981-97-4519-7_5(60-72)Online publication date: 2-Aug-2024
  • (2023)Investigating Fraud and Misconduct in Legitimate Internet Economy based on Customer Complaints2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00070(394-403)Online publication date: 1-Nov-2023
  • (2023)A Conceptual Model for Click Fraud Detection and Prevention in Online Advertising Using BlockchainSecurity, Privacy and Data Analytics10.1007/978-981-99-3569-7_17(235-246)Online publication date: 19-Aug-2023
  • (2023)Forsage: Anatomy of a Smart-Contract Pyramid SchemeFinancial Cryptography and Data Security10.1007/978-3-031-47751-5_14(241-258)Online publication date: 1-Dec-2023
  • (2022)Hidden Path: Understanding the Intermediary in Malicious RedirectionsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2022.316992317(1725-1740)Online publication date: 2022
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media