Thursday, April 24, 2025
HomeMalwareTremendous Ad Fraud 'Methbot' : Attackers earn $3-5M Every day

Tremendous Ad Fraud ‘Methbot’ : Attackers earn $3-5M Every day

Published on

SIEM as a Service

Follow Us on Google News

What is Methbot Ad Fraud?

Methbot was hosted and controlled by a hacker group in Russia and Operating out with data centres in US and Netherlands. It was also nicknamed as “methbrowser,” , because it has a fake browser which redirect’s itself.

These “bot farm” generates approximately $3 to $5 million per day by targeting the premium video advertising ecosystem. Experts from Whiteops detected and blocked the malicious  activity generated by Methbot on behalf of their customers.

Overview of Methbot behaviour

Volume and Estimated Financial Impact

- Advertisement - Google News
  • Advanced Techniques to Avoid Detection Operational Infrastructure
  • $3 to $5 million in revenue per day for its operators.
  • CPMs ranged from $3.27 to $36.72 with the average being $13.04.
  • 200 – 300 million video ad impressions generated per day on fabricated inventory.
  • 250,267 distinct URLs spoofed to falsely represent inventory.
  • 6,111 premium domains targeted and spoofed.
  • High value marketplaces targeted including PMPs.

Operation Infrastructure

  • 571,904 dedicated IPs, many falsely registered as US ISPs .
  • 800 – 1,200 dedicated servers operating from data centres in the United States and the Netherlands

Advanced Methods to Avoid Detection

  • Faked clicks, mouse movements, and social network login information to masquerade as engaged human consumers.
  • Manipulation of geolocation information associated with the IP addresses under their control.
  • Special case countermeasures against code from over a dozen different ad tech companies.
  • Fully custom HTTP library and browser engine with Flash support, all running under Node.js.

Impact of the Methbot is unmatched, by fabricating  as much as $5 million in video advertising inventory per day

Methbot far exceeds the financial damages done by previously discovered botnets. ZeroAccess is thought to have collected as much as $900,000 per day1 , the Chameleon Botnet up to $200,000 per day2, and HummingBad up to $10,000 per day3 .

methbot revenues - Methbot Ad Fraud

Inorder to avoid detection, developer group implemented array of operations. More than the normal botnet it involves attacks on existing IP addresses and piggybacking on residential computers.

With these forged IP registrations has allowed the Methbot operation to evade typical datacenter detection methodology. This marks an innovation that transcends beyond traditional botnets, allowing Methbot to scale beyond anything the industry has seen before and placing it in a new class of bot fraud.

Methbot Ad Fraud Profit Machine

Since both human audiences and premium publisher inventory are in high demand, Methbot Ad Fraud focuses on manufacturing both of these as its product.

By supplying faked audiences and hijacking the brand power of prestigious publishers through faked domains and falsified inventory.

methbot profit machine - Methbot Ad Fraud

Methbot – Technical Analysis

Bot Characteristics

Methbot uses it’s own customised software’s with a pool of dedicated IP address. White Ops  team detection technology was able to use a JavaScript language feature called “reflection” to gather extensive, detailed information about its inner workings.

The bot runs under Node.js, and uses several open source libraries to add other features. It operates primarily on a large scale multi-data center distributed system to leverage parallel, reliable, and redundant operations.

Some open source libraries and tools used in the bot include:

  • Tough-cookie for preserving session data between executions.
  • cheerio for parsing HTML.
  • JWPlayer for running ad tags and requesting video advertisements.
  • Node.JS

Chrome is the browser identity of which White Ops detected the highest volume, including minor versions 53 and 54. Firefox 47, Internet Explorer 11 and Safari 9.1 and 9.2 are also represented. Methbot operators also spoofed operating system including Windows 10 — and some older versions — and several versions of Mac OS X from 10.6 to 10.12.1.

To date White Ops has observed 250,267 distinct URLs across 6,111 distinct domains that were generated by Methbot in the act of impersonating a user visiting a web page.

Sample of Methbot generated URLs

To find a complete list of URL’s.

  1. http://ibtimes.co.uk/video
  2. http://vogue.com/video
  3. http://economist.com/video
  4. http://espn.com/video
  5. http://www.cbssports.com/CBS_Air_Force_Falcons_Fall_Gear
  6. http://fortune.com/2016/09/28/department-stores-closings/
  7.  http://foxnews.com/video 

Methbot form

  • 8,000 – 1,200 dedicated Methbot servers.
  • Distributed system to leverage parallel, reliable, and redundant operations.
  • Browser impersonation to resolve against fabricated premium domains.
  • Forged browser aspects including objects like screen information, plugin list, built in functions, and supported events
methbot farm - Methbot Ad Fraud

Financial knock

White Ops consulted with AD/FIN, a programmatic media intelligence company, for representative cost data on the Methbot URL list.The analysis produced through this partnership showed that Methbot Ad Fraud generated ad impressions sell for anywhere from $3.27 CPM to $36.72 CPM.

The average CPM for URLs manufactured by Methbot was $13.04. The financial repercussions of Methbot continue to reverberate through the industry.

Since early October 2016 White Ops estimates it has been running at a daily rate of 200 million to 300 million impressions per day.AD/FIN’s CPM data places a value of this daily activity between $3 million and $5 million dollars per day.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Redis DoS Flaw Allows Attackers to Crash Servers or Drain Memory

A high-severity denial-of-service (DoS) vulnerability in Redis, tracked as CVE-2025-21605, allows unauthenticated attackers to crash...

Google Warns: Threat Actors Growing More Sophisticated, Exploiting Zero-Day Vulnerabilities

Google’s Mandiant team has released its M-Trends 2025 report, highlighting the increasing sophistication of...

Critical Langflow Flaw Enables Malicious Code Injection – Technical Breakdown Released

A critical remote code execution (RCE) vulnerability, identified as CVE-2025-3248 with a CVSS score...

GitLab Releases Critical Patch for XSS, DoS, and Account Takeover Bugs

GitLab, a leading DevOps platform, has released a critical security patch impacting both its...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Google Warns: Threat Actors Growing More Sophisticated, Exploiting Zero-Day Vulnerabilities

Google’s Mandiant team has released its M-Trends 2025 report, highlighting the increasing sophistication of...

Hackers Exploit NFC Technology to Steal Money from ATMs and POS Terminals

In a disturbing trend, cybercriminals, predominantly from Chinese underground networks, are exploiting Near Field...

Threat Actors Leverage TAG-124 Infrastructure to Deliver Malicious Payloads

In a concerning trend for cybersecurity, multiple threat actors, including ransomware groups and state-sponsored...