Russian Methbot Attack Defrauds Advertisers

White Ops report details Methbot advertising fraud scam that is stealing as much as $3-5 million per day, by impersonating both websites and end-users.

Security firm White Ops released a study on Dec. 20 detailing a new advertising fraud attack network called 'Methbot' that is responsible for up to $5 million in fraud every day.

According to the White Ops analysis, Methbot is a sophisticated operation that impersonates sites as well as users in an attempt to convince advertising networks that legitimate ads were served.

On the publisher side, Methbot is able to impersonate over 6,000 of the internet's top web sites, where the ads are served. For the fake end-users, Methbot has a network of 571,904 unique IP addresses.

Overall, White Ops estimates that the Methbot operation is able to view 300 million video ads every day, generating $3 to 5 million in daily advertising fraud revenue for the Russian hackers that are allegedly behind the attack.

While Methbot is the most sophisticated advertising fraud network that White Ops has yet discovered, it's not the only one. In January, White Ops along with the Association of National Advertisers (ANA) issued a report on the state of bot fraud, estimating that advertisers were losing $7.2 billion annually.

"We started seeing activity for Methbot in September of this year so there was no overlap with the research we did with the ANA," Tamer Hassan, co-founder and CTO of White Ops, told eWEEK.

Among the interesting characteristics of Methbot is that it has its own dedicated infrastructure that wasn't built in the same manner as a typical botnet. With most botnets, attackers infect servers and devices with malware and then use the exploited systems to attack others. Hassan explained that White Ops does not believe that Methbot has infected systems with malware, which is how a typical botnet operates.

"Instead, they have a huge infrastructure set up with data centers filled with servers dedicated to their operation," Hassan said. "That is a huge difference we see in Methbot versus other fraud that has been revealed to date."

He added that that the Methbot operators are spoofing internet service providers and it does appear that they are leasing hardware from service providers in data centers. Additionally, the Methbot operators are also making use of the existing, legitimate marketplaces for online advertising sales.

"Anyone can buy and sell on the open programatic marketplace and in the span of milliseconds there could be several opportunities to arbitrage an impression," Hassan said. "This means that virtually anyone can buy and resell ad slots from a variety of name brand web sites if and when they offer their overflow inventory on the open market."

Methbot isn't just impersonating real sites in order to get the adverting impressions, it also is generating fake views and clicks as well. Hassan explained that Methbot recognizes that many brands have different metrics they measure, before they pay for an ad impression. Methbot has taken the various metrics into account, which can be seen in the code the bot uses.

Given that the advertising platforms are supposed to pay the real sites for placement, the method by which Methbot is able to generate revenue, highlights a flaw in the how modern ad placements system work.

"Advertisers have to pay the platform that is selling ad slots from those real sites and those platforms have to pay the platform selling it to them, and so on," Hassan said. "A lot of times you have no idea how many entities are in the chain of buying and selling an impression in the first 100ms that you load a web page. "

He added that at some point there is an entity that is a front for the ad fraud operation, but often it is several hops deep and most people can only see the first one or two.

From a remediation perspective, White Ops has several recommendations.

"Brands, agencies and ad tech platforms can work together to immediately blacklist the compromised IP addresses, along with the domains and URLs so that Methbot cannot continue to steal revenue from them," Hassan said. "Methbot is still operating today and will continue to do so until it can no longer use its IP space to monetize."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.