In recent years, online advertising fraud has become the prevalent monetizing strategy for botnets. It is a growing concern for the advertising industry as it threatens the business model of numerous websites, with losses to this kind of fraud estimated at $7 billion per year. Despite the fact that some of this malware, such as Boaxxe/Miuref and Ramdo/Redyms, have been operating for years and have been well documented, they continue to be able to defraud the advertising market. Accordingly, a better understanding on how they operate and new strategies for fighting them are needed.
In order to extract money from the advertising market, botnet operators sell their traffic to ad networks. The practice of buying and reselling traffic, i.e. arbitrage, is a common practice in the online publicity market, and therefore many intermediaries can appear between the botnet and the final advertisers. Thus, identifying the ecosystem formed by all the intermediaries is fundamental in order to find efficient strategies to mitigate this phenomenon, in a manner that is more effective and permanent than traditional malware detection and botnet take-downs.
In this paper we present the methods we have introduced and used to map this ecosystem. We detail how to reconstruct click-fraud redirection from network traces captured on malware-infected machines, a non-trivial technical problem. We will also explain our method for reconstructing the graph of intermediary actors in this ecosystem from these redirection chains.
Finally, we present the results of our study on the click-fraud malware Boaxxe/Miuref and Ramdo/Redyms. We compare the two ecosystems and show there are several important actors present in both of them. In particular, we will point out one particular Solution-as-a-Service ad network provider that seems to be the main actor in the two ecosystems, along with some other ad networks. This shows that an ecosystem disruption effort targeting few selected actors, by legal, technical or marketing means, could severely affect more than one malware family and could thus help reduce global click-fraud activity.