Blog

A History of Click Fraud: How Bots Have Plagued PPC Marketing

June 10, 2024
5 min read

Click bots have plagued PPC marketers from the beginning, draining budgets and evolving in sophistication over time. These automated nuisances have caused significant financial losses for advertisers, with global click fraud losses projected to reach $100 billion by 2023, up from $35 billion in 2018.

In this post, we'll highlight some of the most notorious click bots, their impact on today's ad campaigns, and strategies to avoid them.

What is a Click Bot?

A click bot is a software program designed to simulate user clicks on ads or web content. While some click bots serve useful purposes, like scanning websites for errors or detecting spam, most are used for fraudulent activities, causing significant harm to the online ecosystem.

These malicious bots can generate fake traffic and manipulate ad campaigns. They can perform simple tasks such as clicking buttons, posting spam comments, or visiting websites. However, more sophisticated bots can mimic real user behavior by browsing websites, adding items to shopping carts, or completing forms and downloads.

Additionally, botnets—networks of interconnected bot programs—can operate individually or as a coordinated unit, often controlled from a central command center. These botnets can be hosted on servers in data centers or on infected user devices like laptops and smartphones.

What Do Click Bots Do?

Click bots aim to deceive ad campaigns by generating fake clicks, making it appear as though real users are engaging with the ads. In PPC fraud, these bots focus on clicking ads (display, video, or text/search results) embedded on a fraudster's website. The fraudster then collects the payouts for these fake clicks or video impressions.

Click bots also generate fake traffic for social media, engage with websites, and post spam comments. More maliciously, they can spread viruses, conduct cybercrime activities, and perform denial of service (DDoS) attacks.

How Do Click Bots Work?

Click bots are a type of virus or Trojan embedded on internet-connected devices like computers, tablets, servers, or smartphones. These bots can be part of a network that clicks on ads en masse or perform localized click fraud within an app (click injection or click spamming).

Regardless of the method, every fake ad click incurs a cost for advertisers globally.

Click Fraud Pre-2006

Before 2006, click fraud typically involved low-quality websites hosting ads and generating fake clicks to collect payouts. Fraudulent publishers would sign up for Google AdSense and either click the ads themselves or hire someone to do it.

Even as early as 2003, there were mentions of bots being used for this purpose, but most information from that time is based on assumptions and partial research. Recognizing the growing issue, Google created a dedicated team to combat click fraud and ad fraud.

Competitor click fraud, where rivals click on ads to drain their competitors' budgets, has been an issue since the inception of pay-per-click (PPC) advertising.

Inevitably, click bots evolved, making the problem more complex and widespread.

Click Fraud Post-2006

Clickbot A

Years active: 2006
Estimated cost: $50,000
Estimated infections: 100,000 computers

In 2006, Google discovered Clickbot A, a botnet conducting low-profile click fraud on syndicated search networks. This botnet targeted Google's sponsored search results and was powered by around 100,000 machines, causing an estimated $50,000 in fraud. Clickbot A was the first significant evidence of click fraud botnets, though it was small compared to later botnets.

DNS Changer

Years active: 2007-2011
Estimated cost: $14 million
Estimated infections: 4 million computers

The DNS Changer scam, orchestrated by Rove Digital, involved ad fraud bots that altered infected devices' web addresses to domains controlled by the gang, displaying ads to earn commissions. It operated for four years, preventing antivirus updates. Vladimir Tsastin, a key member, was convicted of wire fraud and money laundering, marking one of the first court cases against an ad fraud bot network.

Miuref

Years active: 2013 – Present
Estimated cost: Unknown
Estimated infections: Unknown

Also known as Boaxxe, Miuref is a Trojan delivered through fake documents, used in botnet campaigns like 3ve, Bitcoin mining, data theft, and exploiting security vulnerabilities. Despite being detectable and removable, Miuref remains a persistent threat, contributing to multiple billions in financial damage.

Stantinko

Years active: 2012 – Present
Estimated cost: Not known
Estimated infections: 500,000+ machines

Stantinko, a multi-use botnet, initially involved in ad fraud campaigns, has shifted to crypto mining. It was first detected in Chrome extensions, enabling ad injection, installing adware, and accessing WordPress and Joomla sites. Its code is hidden within legitimate code, affecting mainly Russia and Ukraine but also systems globally.

Bamital

Years active: 2009 – 2013
Estimated cost: $700,000 per year
Estimated infections: Up to one million desktop machines

Bamital, a malware discovered by Microsoft in 2013, committed click fraud by redirecting search engine users to ads or malware-laden pages. It generated up to $1 million annually for its operators, affecting Bing, Yahoo, and Google searchers.

Chameleon

Years active: 2013
Estimated cost: Around $6 million per day
Estimated infections: 120,000 desktop machines

Chameleon was one of the first botnets to mimic user behavior, targeting display ads and diverting over 50% of ad revenue from 200 sites through fraudulent clicks and rollovers.

Kovter

Years active: 2014 – Present
Estimated cost: Not known
Estimated infections: Unknown

Kovter is a sophisticated click fraud botnet hiding in long lines of code, including Windows registry files. It performs its damage while the system is in 'sleep' mode and can evade detection by shutting down during system scans.

Methbot

Years active: 2015-2017
Estimated cost: $3 million per day at peak
Estimated infections: 1,900 dedicated servers running 852,000 false IP addresses

Methbot, an infamous botnet, used infected servers to fake website identities and generate fake video ad impressions, earning up to $5 million a day at its peak. It set the standard for click fraud schemes until surpassed by 3ve.

3ve (Eve)

Years active: 2017-2018
Estimated cost: At least $29 million
Estimated infections: 1.7 million hacked computers

3ve, operated by the same team behind Methbot, managed to conduct even more complex video ad fraud, spoofing inventory despite ads.txt. It generated an estimated $29 million before being shut down.

HummingBad

Years active: 2016
Estimated cost: $300,000 per month in 2016
Estimated infections: 10 million Android devices worldwide

HummingBad, created by YingMob, inflated ad clicks and could disguise click origins and install software without user knowledge. It resurfaced as HummingWhale in 2017, infecting over 20 Google Play store apps.

HyphBot

Years active: 2017
Estimated cost: Up to $1.2 million per day
Estimated infections: At least 500,000 computers

HyphBot exploited ads.txt lists to generate fake video ad impressions, running for a short time but embezzling millions in fraudulent ad revenue before disappearing.

DrainerBot

Years active: 2018 – 2019
Estimated cost: Not known
Estimated infections: At least 10 million infections

DrainerBot, embedded in an SDK for Android devices, evaded Google Play Protect checks and committed ad fraud by playing video ads in the background, using large amounts of data and battery power.

404Bot

Years active: 2018 – Present
Estimated cost: At least $15 million
Estimated infections: Not known

404Bot spoofs domain inventory and passes various preventative techniques, continuing to drain marketing funds with an estimated $15 million in damage as of February 2020.

Tekya

Years active: 2019-2020
Estimated cost: Not known
Estimated infections: At least 56 apps, over 1 million downloads

Tekya, found in 56 Android apps, engaged with ads using clicker malware called Haken. Since May 2019, it has committed click fraud on over 1 million downloads, mimicking user behavior.

And This Isn’t All…

This list isn’t exhaustive. Other notable botnets like Judy, IceBucket, and SourMint have also caused significant damage, and many smaller botnets remain unnamed or undetected long enough to be identified by authorities.

The Impact of Click Bots on Paid Campaigns

Click bots are a significant challenge for anyone running online ads, affecting advertisers, small business owners, and marketing teams alike.

Key Issues Caused by Click Bots:

  • Wasted budgets: Each fake click generated by bots drains your ad budget.
  • Misleading analytics: Fake clicks skew your data, leading to inaccurate insights and poor decision-making.
  • Challenging optimization: Optimizing campaigns with faulty data results in wasted time and effort.
  • Decreased engagement: Artificially high click-through rates can reduce genuine user engagement.
  • Ineffective targeting: Adjusting targeting based on bot traffic can undermine your broader marketing efforts.

Click bots don't just impact individual campaigns on platforms like Google Ads or Facebook Ads; they threaten your entire marketing strategy. Preventing them is crucial.

How to Detect and Block Click Bots

Detecting click bots is challenging but achievable with the right steps:

  1. Monitor website traffic: Look for unusual patterns, such as sudden spikes or odd click times.
  2. Narrow your targeting: Specific audience targeting helps identify suspicious clicks from unexpected groups.
  3. Limit ad runtime: Avoid running ads 24/7 to reduce exposure to bots that operate on set schedules.
  4. Implement CAPTCHAs: Use CAPTCHAs to verify human users, preventing bots from accessing your site.

While these measures can help, they may not be 100% effective and can be time-consuming to implement.

Streamline Protection with Tapper

Tapper simplifies bot detection and blocking in real-time, protecting your PPC ads and other marketing activities from fraudulent clicks. Try Tapper for free to see how many fake clicks your ads receive before committing.

Ensure your ad spend reaches genuine human users, not click bots or click farm workers.

Get a free invalid traffic audit

Tapper directs every penny of your ad spend to your target audience. No more invalid traffic, no more budget wasted on returning users, and no more clicks that won’t ever convert.

Convert wasted ad spend into revenue growth

It’s time to stop paying for clicks that will never convert. Make your marketing budget go further by eliminating waste from your campaigns.