Researchers: ‘Methbot’ Defrauding Ad Networks of Millions Per Day

According to research from the cybersecurity firm White Ops, a massive bot operation run by a gang of criminals is defrauding online advertisers of $3 to $5 million per day.

The scam operation, according to the researchers who discovered it, relies on a huge network of obscured IP addresses, rented data centers, spurious web sites and bots that are scripted to generate behavior that looks like real human activity.

Researchers named the botnet “Methbot” because of references to meth in its design code, which has a number of novel components to it. An example is the 200 to 300 million fake video ad impressions the bot generates by using “clean” machines versus hijacked or infected browsers. The operation also includes a number of countermeasures that were implemented to avoid detection from large ad networks and datacenters, including forging registration information.

The sophisticated level of the bot is evident in the methods the criminals used in constructing it. The bot runs on a custom built browser that can fake mouse movements and clicks, and can even fake social media logins. The authors also built custom, fake browser cookies, which are a foundation in how ad networks operate.

The network was constructed with considerable investment. WhiteOps researchers estimate — based on the more than 570,000 legitimate IP addresses that comprise it — that the value of the network is around $4 million dollars.

But the results, because of the botnet’s scale, are massive. “The measured impact to the advertising ecosystem is unprecedented,” White Ops researchers wrote in their report. “By fabricating as much as $5 million in video advertising inventory per day, Methbot far exceeds the financial damages done by previously discovered botnets.”