Wednesday, June 19, 2024

Cyber Criminal’s Earn $5 Million Daily By Fraudulent Video Ad “Methbot”- A Shocking Report

According to researchers at White Ops who uncovered the ad fraud, cyber crime group has been earning as much as $3 million to $5 million daily by generating up to 300 million fraudulent video-ad impressions per day.

The group behind the ad fraud has created a complex bot farm called Methbot using thousands of proxies and dedicated, deceptive IP addresses to con mainstream advertisers into thinking their ads are running on major media websites.

This Methbot Using an army of automated web browsers run from fraudulently acquired IP addresses, the Methbot operationis “watching” as many as 300 million video ads per day on falsified websites designed to look like premium publisher inventory. More than 6,000 premium domains were targeted and spoofed,enabling the operation to attract millions
in real advertising dollars.

Methbot generates the impressions using 250,267 distinct URLs across 6,111 premium distinct domains, White Ops has observed, and it uses several techniques to fool anti-fraud companies.

Methbot Operation Estimation:

Volume and Estimated Financial Impact Report from White Ops ,

• $3 to $5 million in revenue per day for its operators

• CPMs ranged from $3.27 to $36.72 with the average being $13.04

• 200 – 300 million video ad impressions generated per day on fabricated inventory

• 250,267 distinct URLs spoofed to falsely represent inventory

• 6,111 premium domains targeted and spoofed

• High value marketplaces targeted including PMPs

Methbot, researchers say, is unique in its ability to defraud advertisers compared to other ad fraud botnets. According to researchers, competing ad-fraud bots have only raked in a fraction of Methbot’s earning ability.

Competing ad-bots such as ZeroAccess Botnet are thought to have collected as much as $900,000 per day, the Chameleon Botnet took up to $200,000 per day, and HummingBad took up to $10,000 per day, according to White Ops.

The Methbot ad fraud infrastructure. Image: White Ops.

White Ops published a research report exposing the hack and it explains in great detail how the operation profits. Here’s how it works:

  • It creates spoof versions of the URLs (website addresses) of premium publishers, such as,,,, and
  • These web pages contain nothing more than what is needed to support an ad. The publisher’s server is never contacted.
  • Methbot then uploads a video ad to the fake page and “plays” it through a simulated browser.
  • To generate a monetizable impression of the ad, it then simulates a human with a “bot” – this is how it deceives ad fraud companies – the bot randomly interrupts the playback using fake mouse movements. It also uses social login information to masquerade as engaged humans, and it simulates clicks “in a randomly generated fashion to achieve a realistic rate.”

Key Behaviors of Methbot :

Video advertising on premium web sites fetches some of the highest prices in digital
advertising. Methbot hijacks the brand power of premium publishers by spoofing URLs in
the call for a video ad in order to attract advertising dollars in the following way:
Counterfeit page: Methbot selects a domain or URL from a list of premium publishers,
and fabricates counterfeit pages. The page contains nothing more than what is needed
to support an ad, and the publisher’s server is never contacted.
Offer inventory: Using the industry standard VAST protocol, Methbot requests a video
ad from a network, using one of Methbot’s identifiers so they will get credit for it.
Produce fake views and clicks: The video ad is loaded through a proxy and “played”
within the simulated browser. Any specified anti-fraud and viewability verification code
is also loaded and fed false signals in order to make the activity seem legitimate.

Researcher’s says, White Ops has observed 250,267 distinct URLs across 6,111 distinct domains that were generated by Methbot in the act of impersonating a user visiting a web page.


Latest articles

Singapore Police Arrested Two Individuals Involved in Hacking Android Devices

The Singapore Police Force (SPF) has arrested two men, aged 26 and 47, for...

CISA Conducts First-Ever Tabletop Exercise Focused on AI Cyber Incident Response

On June 13, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) made history by...

Europol Taken Down 13 Websites Linked to Terrorist Operations

Europol and law enforcement agencies from ten countries have taken down 13 websites linked...

New ARM ‘TIKTAG’ Attack Impacts Google Chrome, Linux Systems

Memory corruption lets attackers hijack control flow, execute code, elevate privileges, and leak data.ARM's...

Operation Celestial Force Employing Android And Windows Malware To Attack Indian Users

A Pakistani threat actor group, Cosmic Leopard, has been conducting a multi-year cyber espionage...

Hunt3r Kill3rs Group claims they Infiltrated Schneider Electric Systems in Germany

The notorious cybercriminal group Hunt3r Kill3rs has claimed responsibility for infiltrating Schneider Electric's systems...

Hackers Employing New Techniques To Attack Docker API

Attackers behind Spinning YARN launched a new cryptojacking campaign targeting publicly exposed Docker Engine...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles