Researchers at security firm released details on a new botnet called Chameleon today, which it says has cost advertisers over $6 million in revenue — the first of its kind to impact “display advertisers at scale.”

We see botnets steal advertising revenue through text-only advertising, such as the search engine advertising you might see at the top of Google. But display advertisers are more difficult to target, says Those behind the display advertising use different techniques to judge their target audience and decide whether they are human or not.

The bot is able to mimic human interaction with a website so that no one suspects there is a bot behind the click, hence the name Chameleon. The bot only clicks on advertisement 0.02 percent of the time, and it re-creates “normal” mouse traces — or where the mouse hovers on the webpage — as well as “random” click-throughs on a specific advertisement. That is, it doesn’t click the ad in the same spot every time.

The firm first started investigating the botnet in December and say the program has cost advertisers up to $6.2 million so far. The botnet specifically targeted 262 unnamed websites and accounted for 65 percent of the traffic served to those websites. was able to detect at least 120,000 “host machines,” thus far, and it says the majority of them are from United States IP addresses.

hat tip Ars Technica; Chameleon image via Shutterstock