Researchers say a cybercrime group has been earning as much as $3 million to $5 million daily by generating up to 300 million fraudulent video-ad impressions per day.
The group behind the ad fraud has created a complex bot farm called Methbot using thousands of proxies and dedicated, deceptive IP addresses to con mainstream advertisers into thinking their ads are running on major media websites.
According to researchers at White Ops who uncovered the ad fraud, those behind Methbot are using bare metal servers hosted at data centers in Dallas, Tx., and Amsterdam to power 600,000 bots with forged IP records that that make it appear online ads are being viewed by U.S.-based ISP customers of Verizon, Comcast, AT&T and others. Next, the fraud includes an automated software program that mimics a user watching video ads.
Methbot operators abuse advertisers and publishers alike by spoofing the data collected by view-ability measurement providers, including video time watched and engagement actions like mouse movements, according to White Ops who published a technical analysis of its discovery Tuesday.
Another chief component of Methbot is the exploitation of the complex online advertising arbitrage system of simultaneous buying and selling of online video-ads. “Let’s assume that (The New York Times) presells 90 percent of its ad impressions, but the remaining 10 percent remains unsold. The inventory that isn’t presold is then sold on the ‘open market’ where re-sellers scoop up the 10 percent,” explains White Ops.
Unsold video-ad inventory can be snatched up by Methbot and shown to its army of fake users. “It means that Coca-Cola could potentially — under certain scenarios that are well understood by criminals — hand over their cash to anyone for NYT ad placements and not think it was suspicious,” researchers said.
Part of the elaborate scheme also includes creating fake sites with IP addresses forged to appear affiliated with major U.S. media companies. That allows crooks to obtain video-ad inventory to display to its fake mainstream media websites for top dollar. And, of course, those ads are viewed by Methbot’s fake viewers.
Researchers say ad fraudsters are targeting video ads because they are the most lucrative, paying as much as 3 cents per view. As of October, White Ops estimates that Methbot is generating upwards to $5 million daily based on the 3 cent increments.
Methbot, researchers say, is unique in its ability to defraud advertisers compared to other ad fraud botnets. According to researchers, competing ad-fraud bots have only raked in a fraction of Methbot’s earning ability. Competing ad-bots such as ZeroAccess are thought to have collected as much as $900,000 per day, the Chameleon Botnet took up to $200,000 per day, and HummingBad took up to $10,000 per day, according to White Ops.
“Primary difference (between earlier ad-bots) is that unlike primary bots that rely on residential IP space/home computers infected with malware, Methbot operates purely out of data centers and also does not rely on standard web browsers (Chrome, Internet Explorer). It actually uses a custom web browser code created from scratch,” researchers told Threatpost. The strength of the Methbot is that operators are in full control of their own servers and nodes and can count on both reliability and resiliency of the network.
According to researchers, the operators of the Methbot network are based in Russia. Researchers said in 2015 they began tracking an early and benign incarnation of the Methbot signature it called C3. “We continued to track the evolution of C3 as it expanded and grew into ‘Methbot.’ On Oct. 5, Methbot began to scale aggressively reaching as many as 137 million ad impressions per day.”
By the middle of October, said Methbot had dramatically scaled to three billion to five billion ad requests per day. A rough estimate of revenue earned between the time Methbot reached scale and Dec. 1 would be between $171 million and $285 million. White Ops estimates the price of operations for Methbot to approximately $200,000 a month, based on dedicated server pricing.
Researchers released details of the 500,000 faux IP addresses and 6,000 hijacked publisher domains to help with fraud prevention and remediation.
