Saturday, December 14, 2024
HomeMalwareTremendous Ad Fraud 'Methbot' : Attackers earn $3-5M Every day

Tremendous Ad Fraud ‘Methbot’ : Attackers earn $3-5M Every day

Published on

SIEM as a Service

What is Methbot Ad Fraud?

Methbot was hosted and controlled by a hacker group in Russia and Operating out with data centres in US and Netherlands. It was also nicknamed as “methbrowser,” , because it has a fake browser which redirect’s itself.

These “bot farm” generates approximately $3 to $5 million per day by targeting the premium video advertising ecosystem. Experts from Whiteops detected and blocked the malicious  activity generated by Methbot on behalf of their customers.

Overview of Methbot behaviour

Volume and Estimated Financial Impact

- Advertisement - SIEM as a Service
  • Advanced Techniques to Avoid Detection Operational Infrastructure
  • $3 to $5 million in revenue per day for its operators.
  • CPMs ranged from $3.27 to $36.72 with the average being $13.04.
  • 200 – 300 million video ad impressions generated per day on fabricated inventory.
  • 250,267 distinct URLs spoofed to falsely represent inventory.
  • 6,111 premium domains targeted and spoofed.
  • High value marketplaces targeted including PMPs.

Operation Infrastructure

  • 571,904 dedicated IPs, many falsely registered as US ISPs .
  • 800 – 1,200 dedicated servers operating from data centres in the United States and the Netherlands

Advanced Methods to Avoid Detection

  • Faked clicks, mouse movements, and social network login information to masquerade as engaged human consumers.
  • Manipulation of geolocation information associated with the IP addresses under their control.
  • Special case countermeasures against code from over a dozen different ad tech companies.
  • Fully custom HTTP library and browser engine with Flash support, all running under Node.js.

Impact of the Methbot is unmatched, by fabricating  as much as $5 million in video advertising inventory per day

Methbot far exceeds the financial damages done by previously discovered botnets. ZeroAccess is thought to have collected as much as $900,000 per day1 , the Chameleon Botnet up to $200,000 per day2, and HummingBad up to $10,000 per day3 .

methbot revenues - Methbot Ad Fraud

Inorder to avoid detection, developer group implemented array of operations. More than the normal botnet it involves attacks on existing IP addresses and piggybacking on residential computers.

With these forged IP registrations has allowed the Methbot operation to evade typical datacenter detection methodology. This marks an innovation that transcends beyond traditional botnets, allowing Methbot to scale beyond anything the industry has seen before and placing it in a new class of bot fraud.

Methbot Ad Fraud Profit Machine

Since both human audiences and premium publisher inventory are in high demand, Methbot Ad Fraud focuses on manufacturing both of these as its product.

By supplying faked audiences and hijacking the brand power of prestigious publishers through faked domains and falsified inventory.

methbot profit machine - Methbot Ad Fraud

Methbot – Technical Analysis

Bot Characteristics

Methbot uses it’s own customised software’s with a pool of dedicated IP address. White Ops  team detection technology was able to use a JavaScript language feature called “reflection” to gather extensive, detailed information about its inner workings.

The bot runs under Node.js, and uses several open source libraries to add other features. It operates primarily on a large scale multi-data center distributed system to leverage parallel, reliable, and redundant operations.

Some open source libraries and tools used in the bot include:

  • Tough-cookie for preserving session data between executions.
  • cheerio for parsing HTML.
  • JWPlayer for running ad tags and requesting video advertisements.
  • Node.JS

Chrome is the browser identity of which White Ops detected the highest volume, including minor versions 53 and 54. Firefox 47, Internet Explorer 11 and Safari 9.1 and 9.2 are also represented. Methbot operators also spoofed operating system including Windows 10 — and some older versions — and several versions of Mac OS X from 10.6 to 10.12.1.

To date White Ops has observed 250,267 distinct URLs across 6,111 distinct domains that were generated by Methbot in the act of impersonating a user visiting a web page.

Sample of Methbot generated URLs

To find a complete list of URL’s.

  1. http://ibtimes.co.uk/video
  2. http://vogue.com/video
  3. http://economist.com/video
  4. http://espn.com/video
  5. http://www.cbssports.com/CBS_Air_Force_Falcons_Fall_Gear
  6. http://fortune.com/2016/09/28/department-stores-closings/
  7.  http://foxnews.com/video 

Methbot form

  • 8,000 – 1,200 dedicated Methbot servers.
  • Distributed system to leverage parallel, reliable, and redundant operations.
  • Browser impersonation to resolve against fabricated premium domains.
  • Forged browser aspects including objects like screen information, plugin list, built in functions, and supported events
methbot farm - Methbot Ad Fraud

Financial knock

White Ops consulted with AD/FIN, a programmatic media intelligence company, for representative cost data on the Methbot URL list.The analysis produced through this partnership showed that Methbot Ad Fraud generated ad impressions sell for anywhere from $3.27 CPM to $36.72 CPM.

The average CPM for URLs manufactured by Methbot was $13.04. The financial repercussions of Methbot continue to reverberate through the industry.

Since early October 2016 White Ops estimates it has been running at a daily rate of 200 million to 300 million impressions per day.AD/FIN’s CPM data places a value of this daily activity between $3 million and $5 million dollars per day.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware...

Antidot Malware Attacking Employees Android Devices To Inject Malicious Payloads

Researchers discovered a new variant of the AntiDot banking trojan targeting Android mobile devices...

Triad Nexus, Chinese Hackers Using 200,000 Domains For Widespread Cyber Attack

Researchers identified FUNNULL, a Chinese CDN, as hosting malicious content, which includes fake trading...