Who is behind the Chameleon botnet?

This post first appeared as a guest article on AdWeek.

The industry is being hurt
The Chameleon botnet continues to hurt the display advertising industry. The botnet hurts even the most savvy advertisers—fraudulently costing them millions of dollars per month. The botnet also hurts premium publishers, as advertisers do not have the tools necessary to determine where and when their ad optimisation efforts are being gamed.

Below is a small selection of the advertisers whose advertising campaigns have been gamed by this sophisticated botnet:

American Express, AT&T, BMW, Brightroll, Chase, Citi, Disneyland Resort, Dodge, edX, Equifax, Ford, Fujifilm, Jaguar, LivingSocial, Mars, McDonald’s, Monster.com, Nationwide, Petco, Sprint, Time Warner Cable, TransUnion, Zipcar


Who is to blame?
The question we have been asked repeatedly over the past couple of days is this: “Who is running the Chameleon botnet?”

Unfortunately we do not have the answer. If financial motive points to the perpetrator(s), then the Chameleon botnet is most likely being controlled by some company/person/people with financial upside from the 202 specific websites being targeted by the botnet.

Because we do not currently know who is behind the botnet, we have only released IP addresses of infected machines. We have thought it more responsible to withhold the list of 202 websites being targeted by the Chameleon botnet. It is quite possible that the owners of many these websites do not know the source of their traffic. For example, we know of at least one premium publisher being targeted by the Chameleon botnet. This publisher has raised tens of millions of dollars from top-tier venture capitalists including Kleiner Perkins Caufield & Byers. It is, of course, possible that someone connected to this publisher knows that the Chameleon botnet contributes most of the publisher’s traffic. However, we suspect it to be far more likely that this publisher and others are unintentionally buying fake traffic.

Whilst we have chosen to avoid implicating website owners, tenacious investigative work by journalists and partners has now revealed at least some of the websites we have identified as being targeted by the Chameleon botnet. Unfortunately this investigative work has also overreached what is currently known. Toothbrushing.net, womenshealthbase.com, dailyfreshies.com and FFog.net are not amongst the 202 websites that we have identified as being targeted by the Chameleon botnet. We understand that others in the industry regard these four websites as having suspicious traffic patterns. However, there is no evidence to suggest that these traffic patterns relate to this particular botnet.

In this FT article, Alphabird’s websites have been identified as being targeted by the Chameleon botnet. In this follow-up article on the Verge, the following is written:

We spoke with Alphabird COO Justin Manes who provided additional details about the situation. Alphabird operates by purchasing cheap text ads that send viewers to its websites, and then selling advertisements to companies based on the large number of eyes it’s getting on those pages. Manes believes that one of the companies that Alphabird purchased text ads from had unknowingly employed a contractor that was using the botnet to send fake page views. As of this afternoon, Alphabird has ceased all text ad purchasing.

We do not know the Alphabird team (and Willie Pang is mistaken when he suggests that spider.io is working with Alphabird). So we have no reason to question the statement made by Justin Manes. However, we do still have to ask: “Mr Manes, will you please reveal the source(s) of these cheap text ads—for the good of the industry?” The source of these ads is most likely behind the Chameleon botnet, or at least knows who is behind the Chameleon botnet.

In this Guardian article,  DigiMogul’s websites have been identified as being targeted by the Chameleon botnet. In this AdWeek article, the following is written:

DeWayne Rose, CEO of DigiMogul, said that his company works with Rubicon, OpenX and 24/7. He called any allegations of bot traffic “silly.

“We market just like anybody else,” Rose said. “We spend seven figures building these sites out. We can’t outsmart anybody. If we were using bots, we would be getting caught. Everything is by the book.”

Mr Rose is wrong. DigiMogul’s websites are in fact being heavily targeted by the Chameleon botnet.

It is appropriate that we regard Mr Rose and his team as not being directly connected to the running of the Chameleon botnet. However, the amount of traffic being driven to DigiMogul websites by the Chameleon botnet is such that it seems to us infeasible that DigiMogul’s management never once asked any questions. Directorslive.com is the largest DigiMogul website to be targeted by the Chameleon botnet. Almost all the traffic across this site is generated by the Chameleon botnet. Directorslive is so large that it dwarfs the number of ad impressions sold by eBay through one of the leading display ad exchanges. This article puts directorslive’s traffic into context. It is for this reason that we believe it appropriate to confirm that the Guardian was correct in identifying DigiMogul’s websites as being amongst the 202 websites targeted by the Chameleon botnet.

Presuming that DigiMogul’s management have been inadvertently caught up in the activities of the Chameleon botnet, then it seems imperative that Mr Rose and his team also reveal their traffic sources. These sources are likely to be behind the Chameleon botnet, or they will at least know who is behind the Chameleon botnet.