ad fraud revenue thief sitting at computer keyboard
Dec 21, 2016 — TrackFive

Ad Fraud Komanda: Uncovering Methbot

Back in April, I wrote a blog series about the digital ad blocker war unfolding between publishers and web consumers. During that series, I wrote about the money publishers were (and still are) losing due to users employing ad blockers. Today, I’m going to discuss another way publishers are losing money: ad fraud.

Yesterday, White Ops, a firm that provides online fraud detection services, released a report indicating that they have uncovered the largest and most profitable online bot fraud operation to date. A single Russian cybercrime group that the security firm has dubbed Ad Fraud Komanda or AFK13 used a bot farm to generate as much as $5 million worth of fraudulent revenue per day.

The fake video views operation has not only exposed the vulnerability of our online networks, but it has also created a new level of ad fraud we have never seen. Large publishers like ESPN, Fox News, The Wall Street Journal, Facebook, and Yahoo have all been affected. Not only are publishers feeling the pressure, media companies, brands & agencies, ad network platforms, data providers, fraud detection vendors, and analytics firms are also likely to be affected by Methbot.

Ad Fraud Komanda: Uncovering Methbot

Methbot, named for a line of code found in the program, is a bot-farm operation that targets premium video ads, generating up to 300 million fake impressions daily. They did this by creating a horde of web browsers run from nearly 572,000 fraudulent IP addresses on its own dedicated servers. The spoofed more than 6,000 domains to rack up fake video views and enabled the Russian cybercrime operation to attract millions of advertising dollars.

The Methbot was able to make the half a million IP addresses appear like they were coming from all over the US. Their custom software allowed these addresses to act as humans that are only online during the day, using the Chrome web browser, and a Macbook laptop.

In digital advertising, video ads get higher prices than other ad types, which is why videos were targeted. Big-name websites that attract many visitors like  Vogue, Fortune, or Accuweather were also targeted and spoofed so Methbot could use their brand power to call for video ads. Let’s break the Methbot process down into three main steps:

1. Creating Counterfeit Pages

The program will spoof the URLs of major publisher websites, though the page will actually have nothing more than what is needed to support the ad. The publisher’s server will never be contacted.

2. Offering Ad Space

Methbot will request a video ad from an ad network using standard industry protocol. The faked domain registrations allowed Methbot to trick ad networks algorithms to purchase Methbot ad space. By using one of Methbot’s identifiers, they get credit for it instead of the publisher.

3. Fake Views and Clicks

Once the spoofed publisher page wins the ad auction, the video is “played” through a proxy in their created web browser. Anti-fraud and viewability verification codes are also loaded and fed false signals through the program to make requests seem genuine.

Discovering the Methbots

In September of 2015, the White Ops team first noticed some automated web traffic coming from a unique bot signature. This was quarantined and placed into monitoring. It wasn’t until October of this year that the bot morphed into what is now known as Methbot. It started racking up hundreds of millions of false video impressions and gaining fraudulent revenue.

Many people are wondering why the Methbot operated undetected for over two months. The reason is this ad fraud method is unlike any past digital advertising fraud we have seen. This program was able to get around typical data center detection methods with innovative fraud methods.

Circumventing Ad Fraud Detection

This was a carefully planned out ad fraud method that paid special attention to avoid detection. After acquiring thousands of fake IP addresses that appeared to be from real internet service providers, Methbot was able to act as a human user. This is different from typical fraudulent ad schemes that require an unsuspecting user to accidentally install malware on their computer.

The cybercrime group was able to control these IP addresses and create fake clicks, geographical locations, mouse movements, and social network logins. They did this to appear as active web users across homes in the United States. The group also implemented countermeasures against verification codes from more than a dozen different ad technology and fraud detection companies. By taking these steps, the usual methods to find fraudulent digital ad practices were obsolete.

By impersonating established sites, impersonating human internet users, and circumventing ad network verification procedures, Methbot was able to direct revenues from publishers to AFK13, to the tune of about $3 to $5 million a day.

Moving Forward from Methbot

Every year, billions of dollars in advertising revenue is lost due to fraudulent clicks, fake traffic, and other scams. With the way the online advertising field is structured, we may continue to see hackers and cybercriminals take advantage of our digital advertising spaces and more.

There just seems to be little incentive to stop the fraud. There are so many different layers and middlemen in ad networks. In fact, more than half of all internet ad impressions are never seen by human eyes. Sites are using all sorts of shady tactics to get more impressions. Many advertisers are well aware of the problem, but just don’t care.

Some advertisers don’t care about the scams or inflated metrics that come with it. As long as their clients pay them, they will continue to use shady digital advertising tactics.

Changes to Ad Network Procedures

The Trustworthy Accountability Group (TAG), a joint effort of ad industry major trade groups, and White Ops are teaming up to fight Methbot. On their site, White Ops has released lists containing the spoofed domains, compromised IP addresses, and more.

The groups are blacklisting internet addresses that Methbots used. They are also adding them to the master industry list used to weed out ad fraud. Last week, the group also began an ad certification program. This will verify that ad exchanges are taking place by the actual buyers and sellers. Payment for these ads will go directly to the website publisher.

By getting rid of some of the middlemen fueling fraud in digital advertising, perhaps they can keep something like this from happening again. Though that seems quite unlikely. The internet is a constantly evolving place where cybercriminals can creatively and innovatively commit all sorts of crimes.

The Russian group, Ad Fraud Komanda, has not been caught yet, but law enforcement has been working on it. The chief operating operator at White Ops said they have been working with law enforcement for weeks. Hopefully, that will be the start of collaborative efforts to shut down Methbot and rethink ad network verification methods.

Share This Article

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *

TrackFive Team Members

Let's Chat

"*" indicates required fields

This field is for validation purposes and should be left unchanged.