Russian ‘methbot’ fraud targets online ads
December 21, 2016
By Colin Mann
Security researchers at advertising fraud protection and human verification specialist White Ops have exposed the most profitable and advanced ad fraud operation ever seen by the industry. Dubbed ‘The Methbot Operation’ after references to ‘meth’ in the code of the bot itself, this single group of Russian-based operators is stealing as much as $3 million-$5 million per day from major US media companies and brand advertisers. In a coordinated effort to help the industry eradicate this fraud operation, White Ops has published the results of its research, including detailed information that ad tech companies can use to end Methbot’s ability to profit.
The Methbot Operation has been targeting premium programmatic video inventory, generating as much as 200 million-300 million non-human impressions per day. These impressions appear for sale on programmatic advertising markets as premium ad spots on name brand websites. 6,111 domains, drawn from the most popular sites on the web, have been victimised this way. Unlike typical ad fraud bots that rely on infected residential computers and standard embedded web browser engines, Methbot creates enormous scale by operating hundreds of servers from data centres in the US and Amsterdam and employs a custom-written web browser to reduce the likelihood of detection.
“Methbot elevates ad fraud to a whole new level of sophistication and scale,” said Michael Tiffany, co-founder and CEO of White Ops. “The most expensive advertising on the Internet is full-sized video ads, on name brand sites, shown to users who are logged into social media and who show signs of ‘engagement.’ The Russian operators behind Methbot targeted the most profitable ad categories and publishers. They built their infrastructure and tools and compromised key pieces of architectural Internet systems to maximise their haul. Methbot is a game changer in ad fraud and further evidence that the issue of human verification is constantly evolving and innovating, not abating.”
The Methbot Operation is unprecedented in scale economically, not only because of its cultivation of dedicated infrastructure, but also because of the levels to which its operators have studied and gamed the entire value chain across digital advertising and trusted Internet practices. “The Methbot operators clearly have invested research and development time, money and operational know how to create such a large-scale and effective ad fraud operation,” stated Tamer Hassan, co-founder and CTO of White Ops. “Whether it’s the acquisition of IP addresses and domain names, the deep understanding of real-time bidding in programmatic video, or the characteristics of buyers and sellers in the market, the Methbot operators have worked hard to seem legitimate at every level and to ensure unparalleled levels of control, ownership and resiliency/durability.”
The operation has dramatic costs for both advertisers and publishers and abuses a variety of infrastructure providers by: Offering fraudulent web page visits and ad impressions by convincingly posing as more than 6,000 top Websites. Using a network of proxies running on 571,904 unique IP addresses, camouflaging the traffic to seem legitimate by falsifying IP registrations to impersonate large ISPs including Verizon, Comcast, AT&T, Cox, CenturyLink, TWC and others. For comparison, Facebook currently operates with approximately 270,000 IPv4 addresses. Feeding false information to geolocation information providers. Spoofing the data collected by viewability measurement providers, including video time watched and engagement actions like mouse movements.
Interestingly, the group is not using a shared cyberattack infrastructure or black market bots/compromised end devices. Their operation is based on custom software and generated completely out of data centres.
“This particular attack highlights the massive scale of the fraudsters and their growing sophistication,” said Mike Zaneis, CEO of the Trustworthy Accountability Group (TAG). “This fraud operation represents a significant threat to the integrity of the ecosystem and we appreciate White Ops’ leadership in sharing this intelligence with the broader digital advertising community. Given the most advanced feature of this operation — its forged IP space — we believe TAG’s information sharing platform will allow responsible industry actors to mitigate the threat quickly and effectively.”