Threat Intelligence

Malware spotlight: What is click fraud?

Greg Belding
December 26, 2019 by
Greg Belding


Click fraud is a well-known method for fraudsters to make money by taking advantage of online affiliates. It typically involves an ad placed on a website where either a bot or (less commonly) a real person clicks on this ad to generate an artificially high amount of monetized user interaction. What many may not notice is that attackers have been using malware to perform both click fraud and other malicious actions, making it a type of malware all its own. 

This article will detail the click fraud type of malware and examine what click fraud is, how it works, some of the other capabilities of click fraud malware and real-world examples of click fraud malware.

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

What is click fraud?

Did you know that according to advertising experts, one in five paid clicks in the month of January 2017 was fraudulent? This means that either malware, a dedicated application or an unfortunate person was responsible for this click. 

Also known as pay-per-click (PPC) or performance-based advertising, click fraud is the practice of imitating the actions of legitimate web users clicking on a web-based advertisement. Part of the point (from the attacker’s perspective) is to generate clicks for advertisements regardless if there is genuine interest or not. 

Some click fraud is used by ad agencies to inflate click numbers, but a generous amount of the click fraud activity online is performed by malware. These clicks translate into dollar signs for the attackers, who may be hired by an ad agency — but regardless of origin, the end result is often the spreading of even more dangerous malware

There are many ways that click fraud malware can infect a system. Some of the most common methods are:

  • As an attachment to spam emails
  • Infected apps
  • Downloaded by other malware
  • Downloaded through vulnerability exploits

The threat of click fraud is increasing to be sure and has prompted Google to include click fraud in its new definition of “potentially harmful applications” (PHA). It should be noted that presence of click fraud infected apps in the Google Play store increased by 100% between the years of 2017 and 2018. 

How does click fraud work?

Contemporary versions of click fraud work by using bots to generate an excessive number of clicks on click fraud advertisements. The act of simply generating fraudulent clicks is not, per se, malware, but this click-generating capability is only part of the story. 

Click fraud may be performed by a stand-alone click generating bot, but increasingly this capability is being incorporated as only one of the capabilities of a piece of malware. Some of the other capabilities that click fraud malware may be able to perform including theft of information, opening up backdoors for other attackers to take advantage of, and worst of all, the downloading of even worse malware than the initial click fraud malware that performed the download. 

Simply put, click fraud is often just one ability of malware that as a whole is a much greater threat. 

Some of these other, more damaging, capabilities of click fraud malware are:

  • Information theft, including sensitive information
  • Identity theft or fraud
  • Loss of privacy due to web browser tracking
  • System security compromise

Real-world examples 


This Trojan, which uses click fraud in its attack campaign, was originally discovered in November 2013. It is most commonly spread through spam email attachments and installs itself as a browser plugin and is loaded whenever the browser is opened. 

One of the other capabilities of MIUREF is to install the TSPY_FAREIT malware family. MIUREF may be disguised as cracks or key generators.


Kovter is a click fraud malware that uses its fileless design to avoid detection after infection. It most often spreads as .zip file attachments of a UPS email containing malicious JavaScript files. As Kovter avoids detection, it has the ability to download additional malware, steal sensitive information and even give attackers access to the infected system. 

Kovter works by running a hidden Chromium embedded framework (CEF) browser on the compromised system. The C2 server then sends ads to the infected machine, which are then displayed in the CEF browser. As of November of 2018, most of the major threat actors behind Kovter have been brought to justice, effectively bringing down the click fraud malware’s infrastructure.


The Ramdo malware family is one of the many malware families dedicated to click fraud. It is spread through both exploit kits (RIG, Angler, Blackhole) and spam email containing URLs that redirect users to malicious Adobe Flash Player. These files have a filename of flashplayer20_ga_install.exe.

Based upon processes already running on an infected system, Ramdo injects malicious DLL code into the process, downloads a CEF from its C2 server and navigates to advertisements on a fake browser. Ramdo is also well-known for downloading other malware onto compromised systems.


Click fraud is a well-known tactic for advertisers to generate fraudulent clicks to make money. What is lesser known is the fact that malware is responsible for much of this click fraud and can be performed by malware as a sort of appetizer for the proverbial meal that is a full cyberattack. 

The distinguishing ability of click generating, coupled with its high-level malware functionality and increasing prevalence on the malware landscape, is enough to declare click fraud as a type of malware all to itself. 



  1. The Click Fraud Malware: How MIUREF Turns Users into Cybercriminal Accomplices, Trend Micro
  2. Putting an End to Targeting Bots: What is Click Fraud & How to Prevent it, Lotame
  3. Google: Malware in Google Play doubled in 2018 because of click-fraud apps, ZDNet
  4. 3ve – Major Online Ad Fraud Operation, CISA
Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.