New efforts to bring cybercriminals to justice are reading more like hard-boiled fiction than the sort of paper pushing enforcement we often imagine applies to white-collar crime. In early February 2013, law enforcement officials, including U.S. marshals, entered server facilities in New Jersey and Virginia to confiscate hardware in a move called "Operation b58," which was initiated as a response to a legal claim by big tech companies Microsoft and Symantec.
The legal complaint, filed in Virginia, identified 18 "John Does" believed to be engaged in a worldwide, million-dollar scheme to profit from hacking large numbers of personal computers. In fact, Microsoft and Symantec staffers rode along on the bust, as part of what Microsoft is calling a "legal and technical action" to disrupt an operation known as the "Bamital botnet," where a number of operators control global systems that use malware to hijack users’ search results. And that, of course, affected major search engines and browsers, include those run by Microsoft, Yahoo and Google.
Fans of contemporary U.S. crime television might wonder exactly why law enforcement was knocking on doors up and down the East Coast – after all, there are no dead bodies. It all has to do with something called click fraud, a specific kind of virtual hacking that allows for a small number of people to control a whole lot of Internet user activity – and in terms of its business ramifications, it’s a pretty serious crime.
What Is Click Fraud?
The most simple explanation of click fraud is that hackers redirect Web users to controlled destinations, and away from the organic results that would normally be generated by search engine technology. However, there are multiple ways to do this kind of hacking. Click fraud operators can trick search engines into sending users to the wrong place, but another, potentially easier, way to achieve click fraud is to infect a PC with a piece of malware that does the work on its own. Part of the Microsoft legal complaint against Bamital, filed on January 31, 2013, gives a visual depiction of how botnet operators change DNS settings on computers through malware installation, thereby creating botnets, or large networks of automatically redirected browsers. A command-and-control tier consisting of purchased hosting services controls an infected tier of individual computers.
To many people, click fraud might seem like something relatively harmless, not something you’d bring out a task force for. In reality, this form of hacking is effectively robbing businesses of millions of dollars, and cheating consumers in a variety of ways. For example, the Bamital botnet often redirected users from the website they intended to go to to one that served malware, which included dangerous tracking and spying software. And, by monkeying with the advertising platform that allows much of the Internet to be free for users, click fraud also negatively affects the companies that serve ads as well as the companies that pay for ad space. That’s why this kind of elusive cybercrime is actually getting shut down.
A Microsoft blog post on the issue shows that the Bamital take-down was the sixth time that the company has been involved in these kinds of operations. Other examples also show the scale of click fraud rings. A 2011 InformationWeek story, for example, details an FBI action involving both Estonian and Dutch law enforcement, and raids on facilities in Chicago and New York. In this case, an operation called DNS Changer botnet was estimated to have netted its operators $14 million by infecting more than half a million computers in America from 2007 to 2011. The victims? The advertisers who lost the clicks, business and revenue they would have received had customers not been sent elsewhere, as well as the customers themselves, whose computers were infected with malware that essentially made them complicit in the scam. (Read about other threats users face in The 5 Scariest Threats in Tech.)
Busting the Botnet Operators
As you’d expect, any crime involving ringleaders in countries around the world can be hard to police, and in looking at law enforcement responses, there are some good questions about jurisdiction and venue. In the Bamital case, Microsoft’s legal complaint specifies the legal basis for U.S. raids, specifically in the state of Virginia, explaining the choice of venue by claiming that "defendants …have utilized instrumentalities located in Virginia and the Eastern District of Virginia to carry out the acts complained of herein." The legal document also names ISPs that were used by the ring, which are located in Virginia, and shows how many personal computers in the state were targeted for infection.
An even thornier issue with click fraud involves businesses charging larger tech companies with lax security standards around online marketing results, or even with deception in their contractual marketing agreements. One of the most high-profile scenarios is outlined in an August 2012 Forbes Magazine story, where a company called Limited Run pulled the plug on its Facebook campaign due to concerns that many of the clicks generated could have been instances of click fraud. In addition to these kinds of "trust issues," the social media giant has also faced lawsuits, although it’s generally hard for plaintiffs to claim that "hosts" or online venues are legally responsible for fraudulent results. Other big tech firms like Google have faced similar challenges. Because it could be argued that these companies also benefit from click fraud, it all becomes a very sticky issue.
What Can Companies, and Consumers, Do?
In its response to customer complaints, Facebook has detailed its use of member-based sign-ons and verification technologies like CAPTCHA, which can foil some bots, and has also recommended that companies monitor the traffic around their marketing campaigns closely to determine if click fraud is going on. For consumers, help may come in the form of additional redirects on the Web. For example, after Bamital’s servers were recently brought down, many users found that their search engines were "broken," at least when accessed through their infected computers. In response, Microsoft and Symantec put up a destination site routing users toward tools to eliminate the malware that originally caused the problem. Up-to-date anit-virus and malware protection software can also help protect users’ computers from botnet infection.
But there are other ways that those who pay for, and benefit from, online clicks can check to figure out if they are getting cheated. One of these, mentioned in the case of Limited Run, involves checking whether individual clicks were generated by computers that have JavaScript enabled on their browsers. This simple check is at the core of the company’s complaint against Facebook. According to Limited Run, only a few percent of authentic clicks should come from users with JavaScript disabled. (In Limited Run’s complaint against Facebook it was alleged that 80 percent of Facebook results were from javascript-disabled machines.)
Opinions differ on whether this is an effective way to identify click fraud because authentic users can also disable Javascript. Still, this type of analytics is still one very useful tool for companies that want verify their ad campaign results in-house.
A New Age of Crime
The end result of law enforcement behavior around click fraud is that this specific kind of cybercrime is getting noticed. Data on click fraud has been built into business and money reports, university curricula and, of course, legal claims. It’s also been responsible for a lot of search engine hits as the average reader tries to get up to date on this kind of crime – and how they can avoid becoming a part of it.
The action around click fraud is a real example of how the general phenomenon of cybercrime is being addressed in an age where the data that floats through global virtual networks has become so very valuable. And just like any crime, this one involves a cat-and-mouse game between criminals and the law. The crime may be virtual, but the chase plays out in the real world. And while punishment for the perpetrators of click fraud is currently a bit hard to pin down, you can bet that the high stakes of this game will ensure that the consequences are anything but virtual.