According to researchers at White Ops who uncovered the ad fraud, cyber crime group has been earning as much as $3 million to $5 million daily by generating up to 300 million fraudulent video-ad impressions per day.

The group behind the ad fraud has created a complex bot farm called Methbot using thousands of proxies and dedicated, deceptive IP addresses to con mainstream advertisers into thinking their ads are running on major media websites.

This Methbot Using an army of automated web browsers run from fraudulently acquired IP addresses, the Methbot operationis “watching” as many as 300 million video ads per day on falsified websites designed to look like premium publisher inventory. More than 6,000 premium domains were targeted and spoofed,enabling the operation to attract millions
in real advertising dollars.

Methbot generates the impressions using 250,267 distinct URLs across 6,111 premium distinct domains, White Ops has observed, and it uses several techniques to fool anti-fraud companies.

Methbot Operation Estimation:

Volume and Estimated Financial Impact Report from White Ops ,

• $3 to $5 million in revenue per day for its operators

• CPMs ranged from $3.27 to $36.72 with the average being $13.04

• 200 – 300 million video ad impressions generated per day on fabricated inventory

• 250,267 distinct URLs spoofed to falsely represent inventory

• 6,111 premium domains targeted and spoofed

• High value marketplaces targeted including PMPs

Methbot, researchers say, is unique in its ability to defraud advertisers compared to other ad fraud botnets. According to researchers, competing ad-fraud bots have only raked in a fraction of Methbot’s earning ability.

Competing ad-bots such as ZeroAccess Botnet are thought to have collected as much as $900,000 per day, the Chameleon Botnet took up to $200,000 per day, and HummingBad took up to $10,000 per day, according to White Ops.

The Methbot ad fraud infrastructure. Image: White Ops.

White Ops published a research report exposing the hack and it explains in great detail how the operation profits. Here’s how it works:

  • It creates spoof versions of the URLs (website addresses) of premium publishers, such as vogue.com/video, economist.com/video, espn.com/video, fortune.com/video, and foxnews.com/video.
  • These web pages contain nothing more than what is needed to support an ad. The publisher’s server is never contacted.
  • Methbot then uploads a video ad to the fake page and “plays” it through a simulated browser.
  • To generate a monetizable impression of the ad, it then simulates a human with a “bot” – this is how it deceives ad fraud companies – the bot randomly interrupts the playback using fake mouse movements. It also uses social login information to masquerade as engaged humans, and it simulates clicks “in a randomly generated fashion to achieve a realistic rate.”

Key Behaviors of Methbot :

Video advertising on premium web sites fetches some of the highest prices in digital
advertising. Methbot hijacks the brand power of premium publishers by spoofing URLs in
the call for a video ad in order to attract advertising dollars in the following way:
Counterfeit page: Methbot selects a domain or URL from a list of premium publishers,
and fabricates counterfeit pages. The page contains nothing more than what is needed
to support an ad, and the publisher’s server is never contacted.
Offer inventory: Using the industry standard VAST protocol, Methbot requests a video
ad from a network, using one of Methbot’s identifiers so they will get credit for it.
Produce fake views and clicks: The video ad is loaded through a proxy and “played”
within the simulated browser. Any specified anti-fraud and viewability verification code
is also loaded and fed false signals in order to make the activity seem legitimate.

Researcher’s says, White Ops has observed 250,267 distinct URLs across 6,111 distinct domains that were generated by Methbot in the act of impersonating a user visiting a web page.