Saturday, March 2, 2024

Cyber Criminal’s Earn $5 Million Daily By Fraudulent Video Ad “Methbot”- A Shocking Report

According to researchers at White Ops who uncovered the ad fraud, cyber crime group has been earning as much as $3 million to $5 million daily by generating up to 300 million fraudulent video-ad impressions per day.

The group behind the ad fraud has created a complex bot farm called Methbot using thousands of proxies and dedicated, deceptive IP addresses to con mainstream advertisers into thinking their ads are running on major media websites.

This Methbot Using an army of automated web browsers run from fraudulently acquired IP addresses, the Methbot operationis “watching” as many as 300 million video ads per day on falsified websites designed to look like premium publisher inventory. More than 6,000 premium domains were targeted and spoofed,enabling the operation to attract millions
in real advertising dollars.

Methbot generates the impressions using 250,267 distinct URLs across 6,111 premium distinct domains, White Ops has observed, and it uses several techniques to fool anti-fraud companies.

Methbot Operation Estimation:

Volume and Estimated Financial Impact Report from White Ops ,

• $3 to $5 million in revenue per day for its operators

• CPMs ranged from $3.27 to $36.72 with the average being $13.04

• 200 – 300 million video ad impressions generated per day on fabricated inventory

• 250,267 distinct URLs spoofed to falsely represent inventory

• 6,111 premium domains targeted and spoofed

• High value marketplaces targeted including PMPs

Methbot, researchers say, is unique in its ability to defraud advertisers compared to other ad fraud botnets. According to researchers, competing ad-fraud bots have only raked in a fraction of Methbot’s earning ability.

Competing ad-bots such as ZeroAccess Botnet are thought to have collected as much as $900,000 per day, the Chameleon Botnet took up to $200,000 per day, and HummingBad took up to $10,000 per day, according to White Ops.

The Methbot ad fraud infrastructure. Image: White Ops.

White Ops published a research report exposing the hack and it explains in great detail how the operation profits. Here’s how it works:

  • It creates spoof versions of the URLs (website addresses) of premium publishers, such as,,,, and
  • These web pages contain nothing more than what is needed to support an ad. The publisher’s server is never contacted.
  • Methbot then uploads a video ad to the fake page and “plays” it through a simulated browser.
  • To generate a monetizable impression of the ad, it then simulates a human with a “bot” – this is how it deceives ad fraud companies – the bot randomly interrupts the playback using fake mouse movements. It also uses social login information to masquerade as engaged humans, and it simulates clicks “in a randomly generated fashion to achieve a realistic rate.”

Key Behaviors of Methbot :

Video advertising on premium web sites fetches some of the highest prices in digital
advertising. Methbot hijacks the brand power of premium publishers by spoofing URLs in
the call for a video ad in order to attract advertising dollars in the following way:
Counterfeit page: Methbot selects a domain or URL from a list of premium publishers,
and fabricates counterfeit pages. The page contains nothing more than what is needed
to support an ad, and the publisher’s server is never contacted.
Offer inventory: Using the industry standard VAST protocol, Methbot requests a video
ad from a network, using one of Methbot’s identifiers so they will get credit for it.
Produce fake views and clicks: The video ad is loaded through a proxy and “played”
within the simulated browser. Any specified anti-fraud and viewability verification code
is also loaded and fed false signals in order to make the activity seem legitimate.

Researcher’s says, White Ops has observed 250,267 distinct URLs across 6,111 distinct domains that were generated by Methbot in the act of impersonating a user visiting a web page.


Latest articles

AI Worm Developed by Researchers Spreads Automatically Between AI Agents

Researchers have developed what they claim to be one of the first generative AI...

20 Million+ Cutout.Pro User Records Leaked On Hacking Forums

CutOut.Pro, an AI-powered photo and video editing platform, has reportedly suffered a data breach,...

CWE Version 4.14 Released: What’s New!

The Common Weakness Enumeration (CWE) project, a cornerstone in the cybersecurity landscape, has unveiled...

RisePro Stealer Attacks Windows Users Steals Sensitive Data

A new wave of cyber threats has emerged as the RisePro information stealer targets...

Golden Corral Restaurant Chain Hacked: 180,000+ Users’ Data Stolen

The Golden Corral Corporation, a popular American restaurant chain, has suffered a significant data...

CISA Warns Of Hackers Exploiting Multiple Flaws In Ivanti VPN

Threat actors target and abuse VPN flaws because VPNs are often used to secure...

BEAST AI Jailbreak Language Models Within 1 Minute With High Accuracy

Malicious hackers sometimes jailbreak language models (LMs) to exploit bugs in the systems so...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles