Security researchers have discovered a botnet that is stealing millions of dollars per month from advertisers by simulating click-throughs on display ads hosted on at least 202 websites. Dubbed "Chameleon" by the Web analytics firm spider.io, it fools advertisers' behavior-tracking algorithms to generate fraudulent income. Botnet emulates human visitors on select websites causing billions of display ad impressions to be served to the botnet.

Individual bots within the Chameleon botnet run on host machines with Microsoft Windows as the operating system. Bots access the Web through a Flash-enabled Trident-based browser that executes JavaScript.

Spider.io says that more than 120,000 host machines have been identified so far. 95% of these machines access the Web from residential US IP addresses.

Spider.io has observed the Chameleon botnet targeting a cluster of at least 202 websites. 14 billion ad impressions are served across these 202 websites per month. The botnet accounts for at least 9 billion of these ad impressions. At least 7 million distinct ad-exchange cookies are associated with the botnet per month. Advertisers are currently paying $0.69 CPM on average to serve display ad impressions to the botnet.

Chameleon is a sophisticated botnet. Individual bots run Flash and execute JavaScript. Bots generate click traces indicative of normal users. Bots also generate client-side events indicative of normal user engagement. They click on ad impressions with an average click-through rate of 0.02%; and they surprisingly generate mouse traces across 11% of ad impressions.

This discovery of the Chameleon botnet follows the recent take-down announcements of the Bamital botnet by Microsoft and Symantec -- on February 6th of this year. Both the Chameleon botnet and the Bamital botnet have cost online advertisers millions of dollars.