Methbot revenue compared to other ad fraud operations revenues.

New details on the “bot farm” that generates millions in fraudulent revenue. The advertisement industry reacts.

New details on the “bot farm” that generates millions in fraudulent revenue. The advertisement industry reacts.

On December 20, researchers from White Ops reported that a scheme dubbed “Methbot,” is a Russian operation set up to watch up to 300 million video-based adverts automatically every day. Their research has uncovered a bot farm that is estimated to be fraudulently stealing millions in revenue from online video advertising companies.

The operation was named “Methbot” by the New York-based security firm because of actual references to meth in the bots code. The Russian run bot uses an army of automated web browsers executed from fraudulently acquired IP addresses to deliver as many as 300 million fake video ad plays a day, tricking advertisers to pay for views that were never seen by humans.

Those behind Methbot are using bare metal servers hosted at data centers in Dallas, Tx., and Amsterdam to power 600,000 bots with forged IP records that that make it appear online ads are being viewed by U.S.-based ISP customers of Verizon, Comcast, AT&T and others. Next, the fraud includes an automated software program that mimics a user watching video ads.

Another chief component of Methbot is the exploitation of the complex online advertising arbitrage system of simultaneous buying and selling of online video-ads. “Let’s assume that (The New York Times) presells 90 percent of its ad impressions, but the remaining 10 percent remains unsold. The inventory that isn’t presold is then sold on the ‘open market’ where re-sellers scoop up the 10 percent,” explains White Ops.

The bots purportedly scammed publications like the Huffington Post, The Economist, Fortune, ESPN, Vogue, CBS Sports and Fox News, the company said. Overall, about 6,000 publishers would have been hit and social media websites weren’t immune to the attack, either. WhiteOps though said it would not release the names of the brands affected by the attack.

Methbot revenue compared to other ad fraud operations revenues.
Methbot revenue compared to other ad fraud operations revenues.

Confusing to a lot of people even after the details released by White Ops

In the programmatic world, someone can scoop up a portion of unsold inventory from a publisher’s website and later resell it at a higher cost in a process known as arbitrage. In this case, the Russian hackers allegedly represented themselves as having ad inventory on The New York Times, for example, and sold ad space to major brands. In reality, however, the ads were served on a faux New York Times website that was actually owned by Methbot.

Using an army of automated web browsers run from fraudulently acquired IP addresses, the Methbot operation is ‘watching’ as many as 300 million video ads per day on falsified websites designed to look like premium publisher inventory. More than 6,000 premium domains were targeted and spoofed, enabling the operation to attract millions in real advertising dollars, according to White Ops.

Advertisers often rely on data stored on a user’s machine in “cookies”  to target advertising against demographic information, browser histories, past purchases, and many other data points. Methbot operators use this industry approach to their advantage and stuff crafted cookies into fake web sessions by leveraging a common open source library which allows them to maintain persistent identities containing information known to be seen electronically as valuable to advertisers. In this way they take advantage of the higher CPMs advertisers are willing to spend on more precisely targeted audiences, such as login into Social Networks.

Methbot operators also forged behaviors used as industry measures of human like use, like cursor movements and clicks and multiple viewability measures to mimic observed trends in human behavior. Additionally, sophisticated techniques were employd to pass as humans usign a computer. Methbot forges fake social network login information to make it appear as if a user is logged in when an impression occurs, making the click price even more expensive.

White Ops released a whitepaper, a list of spoofed domains, a list of affected URLs, IP address and IP ranges.

Methbot code explained by White Ops.
Methbot code explained by White Ops.

Technical details on the Methbot operation: an elaborate scheme with a decent budget

One of the key pieces of the Methbot operation is the use of forged IP addresses. The group uses fake documents to obtain more than 500,000 IP addresses that it then employs to hit the ads. The network uses proxies on the dedicated servers it owns to help camouflage its operations and also has the ability to impersonate all of the major browsers.

These dedicated servers were located at Data Centers in Dallas and Amsterdam but the IPs were faked and browser details were spoofed using QA testing tools such as Watir and Selenium.

According to famous Security researcher Brian Krebs, the report which doesn’t give details about who did it, notes that Methbot employs a program called “Cheerio” to parse the HTML rendered by the video ads and a discussion about this piece of software show up in a discussion thread on the Russian-language tech forum pyha[dot]ru. That thread was started by a developer using the nickname “adw0rd,” the same nickname listed in the phony ISP internet address ranges used by Methbot. A glance at adw0rd’s profile on pyha[dot]ru shows the user is from St. Petersburg, Russia and his public email address is also available. The “contact” page for adw0rd[dot]com (again, with a zero) includes that same email address, and says the account belongs to a software developer named Mikhail Andreev, which can also be found on public social networks.

An update from the online advertising industry

On Wednesday, December 21st, the CEO of AppNexus, one of the largest ad networks released a text on his blog on Medium, saying that the proportion of the report is overblown. According to him AppNexus shut down this particular scheme long ago and it wasn’t very hard to stop. According to him, on AppNexus in the past week they spent less than $500 on the IP addresses that WhiteOps reported — less than 0.1% of video spend.

Another skeptical researcher called Mike Nolet, detailed a  few myths about the report and raised a few important facts. According to him, the 1st myth is the amount reported. The amount of money is high, but does not amount to 3 to 5 million a day. On Myth #2, which says that we can’t find these guys, Mike notes that subpoenas by the government would help track down complex network of shell companies and complex international laws. By his opinion, the real problem is that nobody is reporting the crime and the ones that would be allowed and interested in doing so would be the affected brands that are losing money with the operation but the problem is that not even them know that they are getting stolen.

UPDATE on December 22, 2016.
DataXu, another online ad ecosystem also came forward with their assessment of the situation. According to DataXu, a discovery process to determine the impact of Methbot on advertisers using the DataXu platform, the company found that only .08% of daily media spend in December could be attributed to fraudulent Methbot IP addresses.

 

Sources:
http://www.zdnet.com/article/methbot-5-million-a-day-stolen-from-us-companies/
http://siliconangle.com/blog/2016/12/21/russian-run-methbot-steals-millions-video-advertising-revenue-daily/
https://threatpost.com/fraudulent-video-ad-bot-rakes-in-close-to-5-million-daily/122610/ 
http://adage.com/article/digital/ad-fraud-scheme-cost-advertisers-3-million-day/307235/
https://krebsonsecurity.com/2016/12/report-3-5m-in-ad-fraud-daily-from-methbot
And Forbes, which apparently first published about the report from WhiteOps at 9am on Tuesday, December 20th.  http://www.forbes.com/sites/thomasbrewster/2016/12/20/methbot-biggest-ad-fraud-busted/#7db72c564ca8

Max Francisco
Max Francisco has been doing digital projects in Brazil and the US for the last 15 years.