By the end of 2017, webminers had generated more than $15 billion in revenue, according to a study by security firm Cloudflare.
The study, published Wednesday in a security blog, also found that only about 1% of the websites hosted on the internet were legitimate.
It found that in 2017, only a fraction of the sites hosted on sites like Facebook, Google, Amazon and YouTube were legitimate, and the rest were run by criminals and bots.
“We found the majority of legitimate webmining websites were hosted on botnets, or other malicious sites that target users by manipulating search engine results and the number of clicks on each page,” the Cloudflaring researchers wrote.
“This suggests that most legitimate webpages are likely to be scams masquerading as legitimate sites.”
Cloudflares research found that more than 90% of webminer traffic was originating from the United States and Canada.
The researchers analyzed more than 3,000 sites that had been hosted on Cloudflas servers.
“A large portion of the website traffic was redirected to spam emails sent from a number of botnets,” the researchers wrote in their analysis.
The authors found that many of the popular webminering sites were hosted in the United Kingdom, Australia, Canada, France, Germany, India, Mexico, Netherlands, New Zealand, Norway, Spain, Sweden, the United Arab Emirates, and United Kingdom.
The botnets used for the majority were from Russia, the researchers found.
The most popular webhosting companies were Baidu and GoDaddy.
“Some of the botnets are very active,” Cloudflakes researchers wrote, “with more than 500 websites hosting webmined websites.”
They noted that most of the bots would redirect the users to the botnet’s servers, which are located in Russia.
“These servers were hosted using a variety of malware that were detected by the researchers,” the research concluded.
“Many of these botnets were actively used by the botmasters to spread the malware and then re-host the sites.”
In addition to the malware, the CloudFlare researchers found that bots were able to trick users into installing malicious apps or services.
“The majority of the malicious apps installed on the site would use the Chrome browser as the browser and then redirect users from the browser to the browser of the app,” CloudFlares researchers wrote of one of the apps.
“Others would install additional malicious apps that would inject the app with a webhook to trick the user into installing it.”
They also noted that some botnets would install the apps to make the site look more legitimate.
Cloudflarges research found one of those apps, an app called My Bot, which is used by botmasters for hosting their botnets.
“My Bot is one of more than 600 known malware sites that were hosted by these malicious botnets that are now being used by criminals to infect millions of websites,” Cloud Flares researchers concluded.
“While most of these websites are legitimate, they are being used for malicious purposes by botnets to spread malware and redirect users back to their botnet-hosted site,” the study found.
“As of 2016, the majority (but not all) of botnet operators are active on the Tor network,” CloudFLAR researchers wrote on Wednesday.
“However, these operators have also been known to use VPN services, SSL/TLS and other VPNs to hide their location and use of TOR to hide IP addresses.”
The researchers also found a bot that used VPN to conceal its location, but that was detected and shut down by CloudFlaren.
“VPNs can be extremely useful in many cases, especially for a rogue botnet operator who wants to hide the location of their site,” CloudFares researchers said.
“For example, the bot can hide its location by using a proxy service like Tor to disguise its IP address and/or using a VPN to disguise the IP address of the site hosting the bot.”
The cloudflares researchers also noted the bot used “malvertising” to distribute malware.
“If a botster wishes to use the bot as an ad-serving service, they can use malware to distribute malicious advertisements to their users,” Cloudfares researchers write