Characterizing Large-Scale Click Fraud in ZeroAccess

TitleCharacterizing Large-Scale Click Fraud in ZeroAccess
Publication TypeConference Paper
Year of Publication2014
AuthorsPearce, P., Dave V., Grier C., Levchenko K., Guha S., McCoy D., Paxson V., Savage S., & Voelker G. M.
Other Numbers3711

Click fraud is a scam that hits a criminal sweet spot by both tapping into the vast wealth of online advertising and exploiting thatecosystem’s complex structure to obfuscate the flow of money to itsperpetrators. In this work, we illuminate the intricate nature of thisactivity through the lens of ZeroAccess—one of the largest clickfraud botnets in operation. Using a broad range of data sources, including peer-to-peer measurements, command-and-control telemetry, and contemporaneous click data from one of the top ad networks, we construct a view into the scale and complexity of modernclick fraud operations. By leveraging the dynamics associated withMicrosoft’s attempted takedown of ZeroAccess in December 2013,we employ this coordinated view to identify “ad units” whose traffic (and hence revenue) primarily derived from ZeroAccess. Whileit proves highly challenging to extrapolate from our direct observations to a truly global view, by anchoring our analysis in the datafor these ad units we estimate that the botnet’s fraudulent activitiesplausibly induced advertising losses on the order of $100,000 perday.


The authors are grateful for the assistance, contributions, andguidance of many individuals and organizations, including DavidAnselmi, Richard Boscovich, Hitesh Dharamdasani, Yunhong GuNiels Provos, Moheeb Abu Rajab, Nicholas Weaver, the GoogleSafe Browsing Team, the Microsoft Digital Crimes Unit (DCU),the Microsoft Malware Protection Center (MMPC), and the BingAds Online Forensics Team.Without such contributions, this work would not be possible.This work was supported in part by funding provided to ICSI through National Science Foundation grants CNS : 1237265 (“Beyond Technical Security: Developing an Empirical Basis for Socio-Economic Perspectives”) and CNS : 0831535 ("Comprehensive Application Analysis and Control"). Addition funding was provided through NSF grants CNS : 1237076 and CNS : 1237264 (both titled “Beyond Technical Security: Developing an Empirical Basis for Socio-Economic Perspectives”), by the Office of Naval Research MURI grant N00014-09-1-1081, and by generous support from Google, Microsoft, and theUCSD Center for Networked Systems (CNS). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsors.

Bibliographic Notes

Proceedings of the 21st ACM Conference on Computer and Communications Security (ACM CCS), Scottsdale, Arizona

Abbreviated Authors

P. Pearce, V. Dave, C. Grier, K. Levchenko, S. Guha, D. McCoy, V. Paxson, S. Savage, and G. Voelker

ICSI Research Group

Networking and Security

ICSI Publication Type

Article in conference proceedings