According to a recent posting at Click Forensics, a company that improves traffic quality for the online advertising community, a newly discovered botnet is capable of hiding itself as search ad traffic and fooling search engine filters. The botnet, dubbed the "Bahama botnet" because it is tied to 200,000 domains mostly in the Bahamas, but now also in Amsterdam, the UK, and Silicon Valley, affects online marketers who use pay-per-click advertising. The Click Forensics researchers believe that this botnet is controlled by the same people who are running scareware attacks that have affected The New York Times, among other sites, in recent weeks.

If you click through to the video in the Click Forensics post, you can see a demonstration of the click fraud working through searches on Google and Yahoo. Size does not frighten scammers when it comes to click fraud; Microsoft is vulnerable the scam, too. Microsoft filed a click fraud lawsuit against three people earlier this year claiming they made $250,000 in profit off of their online advertising service.

As security professionals, we have to keep an eye on click fraud from two perspectives: first, our Web sites might be vulnerable to it. When there is a will, there is a way, so don't think you are immune. Second, users are our weakest link. They are vulnerable to click fraud and can possibly expose our networks to malware. And click fraud can be an especially tricky area for user error, since end users often see no indication that anything is wrong as they go about their activities -- such as performing searches, in this case.

So how do we defend against click fraud? I offer the following advice:

1. Use a scoring algorithm to detect and document click fraud. Pay-per-click advertising can be predicted using statistical methods.
2. Measure traffic quality with Click Inflation Index (CII).
3. Employ click fraud defense software.