Russian cyber-criminals are siphoning off millions of advertising dollars per day from US media companies and brand-name advertisers, according to security analysis. It is the single most profitable bot operation discovered to date.
Using an army of automated web browsers run from fraudulently acquired IP addresses, the Methbot operation is “watching” as many as 300 million video ads per day on falsified websites designed to look like premium publisher inventory. More than 6,000 premium domains were targeted and spoofed, enabling the operation to attract $3 million to $5 million per day in real advertising dollars. About 200 million to 300 million video ad impressions are generated per day on fabricated inventory.
Dubbing the bot Methbot because of references to “meth” in its code, WhiteOps said that this operation produces massive volumes of fraudulent video advertising impressions by commandeering critical parts of internet infrastructure and targeting the premium video advertising space.
“Advertisers often rely on data stored on a user’s machine in cookies to target advertising against demographic information, browser histories, past purchases and many other data points,” WhiteOps explained. “Methbot operators use this industry approach to their advantage and stuff crafted cookies into fake web sessions by leveraging a common open source library, which allows them to maintain persistent identities containing information known to be seen electronically as valuable to advertisers. In this way, they take advantage of the higher CPMs advertisers are willing to spend on more precisely targeted audiences.”
Methbot operators forge tried-and-true industry measures of humanity. Cursor movements and clicks are faked and multiple viewability measures are faked to further mimic observed trends in human behavior. Additionally, sophisticated techniques are employed to provide an even more convincing picture of humanity: It forges fake social network login information to make it appear as if a user is logged in when an impression occurs.
“Since both human audiences and premium publisher inventory are in high demand, Methbot focuses on manufacturing both of these as its product,” WhiteOps explained. “By supplying faked audiences and hijacking the brand power of prestigious publishers through faked domains and falsified inventory, Methbot is able to siphon away millions in real advertising dollars.”
The measured impact to the advertising ecosystem is unprecedented, the firm added. By fabricating as much as $5 million in video advertising inventory per day, Methbot far exceeds the financial damages done by previously discovered botnets. ZeroAccess is thought to have collected as much as $900,000 per day, the Chameleon Botnet up to $200,000 per day, and HummingBad up to $10,000 per day.
250,267 distinct URLs have been spoofed to falsely represent inventory, with 6,111 premium domains targeted and spoofed. The effort is being undertaken from 800 to 1,200 dedicated servers operating from data centers in the United States and the Netherlands.
“This analysis is possibly only a fraction of Methbot’s true impact,” WhiteOps concluded. “Because WhiteOps is only able to analyze data directly observed by White Ops, the total ongoing monetary losses within the greater advertising ecosystem may be larger.”
Photo © Marta Design