Biggest Cybercriminal Ad-Fraud Rakes in Millions per Day

Image for post
Image for post

Methbot is a state-of-the-art ad fraud infrastructure, capable of hosting legitimate videos and serving them to 300 million fake viewers a day. Each view earns the criminals about $13, translating to around four million dollars a day. Over the past few months, Methbot has pulled in an estimated $180 million. It represents one of the most sophisticated and elaborate ad-fraud networks ever seen.

Targeting Web Advertising

Image for post
Image for post

Scam Walkthrough

Then Methbot shows up. It takes your nice video and places it on hundreds of sites which match your desired market. Then like magic, as you had hoped, millions of visitors start watching your video! You are of course excited. Every day 1 million people are watching and being influenced by your marketing video. Surely sales will go up. Paying the $10,000 advertising fee per day (1 million impressions / 1000 X $10) is absolutely worth it. It is what you wanted, except sales don’t go up. All those ‘impressions’ don’t seem to have the desired effect, because no real person actually watched your video. They were hosted on specially crafted sites and visited only by robots made to appear as potential customers of your product, in the right geography, logged into social media, and even moving the mouse around. You pay for advertising and get nothing in return. Welcome to the Ad-fraud attention economy.

Image for post
Image for post

Sophisticated Infrastructure

At its core, Methbot created phony users that appeared to view advertising videos hosted on their site, so they would earn money from the ‘impressions’ that would be tabulated. To accomplish this, the organized criminals had to create a massive infrastructure that worked together at scale. It forged network address credentials to make it appear the users were from preferred geographies, thereby increasing the costs they could charge. It created 250,000 counterfeit web pages, that nobody was actually visiting, just to host the legitimate videos. The attackers purchased over six-thousand domains for these websites, so as to appear as if they were part of coveted web properties. Again, to boost the CPM rates. It is estimated that between 8k to 12k dedicated servers were running customized software to generate 300 million fake video impressions daily. This software spoofed users web browsers, mouse activity, and even went as far as to make it look like these users were logged into their Facebook accounts to make the scam believable. All fake.

The investment of time, resources, and up-front costs was likely very substantial. Creating, testing, and launching a fraud network of this size is a big undertaking. There is likely an organized team of professionals behind Methbot.

Image for post
Image for post

Ad Networks Need to Rethink their Processes

Methbot was so powerful, in part, due to its conformance to the VAST protocol that dominates the Video ad industry. VAST (video Ad Serving Template) is a specification created by the Interactive Advertising Bureau (IAB). The latest VAST version 4.0 was released in January of 2016. It is a web structure that allows for the monetization of digital videos in the advertising marketplace. It allows for ads to be published by sites and tracks the impressions in exchange for payment. The criminals were savvy in using the VAST based networks to get and service contracts in an automated fashion. It allowed them to scale quickly.

The Investigation

Initial findings by WhiteOps, pointed the finger to cybercriminals based out of Russia. But they did not release any specific supporting data, opting to keep it private at the moment. Likely to be provided to authorities as part of attribution aspects of the investigation.

Authorities will have an interesting time pursuing those behind it. First, they will need to understand the overall scope and assets involved. Shutting down the fraudulent engine is the immediate priority, while maintaining all necessary evidence. Figuring out who is behind it and tracking the money will be the next step. Victims will want reparations. Pursuing the criminals, having them arrested, and extradited if necessary will be the final hurdle to begin formal prosecution proceedings.

The Threats

This fight has just begun.

Interested in more? Follow me on Twitter (@Matt_Rosenquist), Steemit, and LinkedIn to hear insights and what is going on in cybersecurity.

Written by

Cybersecurity Strategist and CISO specializing in the evolution of threats, opportunities, and risks in pursuit of optimal security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store