Thursday, March 28, 2024

Tremendous Ad Fraud ‘Methbot’ : Attackers earn $3-5M Every day

What is Methbot Ad Fraud?

Methbot was hosted and controlled by a hacker group in Russia and Operating out with data centres in US and Netherlands. It was also nicknamed as “methbrowser,” , because it has a fake browser which redirect’s itself.

These “bot farm” generates approximately $3 to $5 million per day by targeting the premium video advertising ecosystem. Experts from Whiteops detected and blocked the malicious  activity generated by Methbot on behalf of their customers.

Overview of Methbot behaviour

Volume and Estimated Financial Impact

  • Advanced Techniques to Avoid Detection Operational Infrastructure
  • $3 to $5 million in revenue per day for its operators.
  • CPMs ranged from $3.27 to $36.72 with the average being $13.04.
  • 200 – 300 million video ad impressions generated per day on fabricated inventory.
  • 250,267 distinct URLs spoofed to falsely represent inventory.
  • 6,111 premium domains targeted and spoofed.
  • High value marketplaces targeted including PMPs.

Operation Infrastructure

  • 571,904 dedicated IPs, many falsely registered as US ISPs .
  • 800 – 1,200 dedicated servers operating from data centres in the United States and the Netherlands

Advanced Methods to Avoid Detection

  • Faked clicks, mouse movements, and social network login information to masquerade as engaged human consumers.
  • Manipulation of geolocation information associated with the IP addresses under their control.
  • Special case countermeasures against code from over a dozen different ad tech companies.
  • Fully custom HTTP library and browser engine with Flash support, all running under Node.js.

Impact of the Methbot is unmatched, by fabricating  as much as $5 million in video advertising inventory per day

Methbot far exceeds the financial damages done by previously discovered botnets. ZeroAccess is thought to have collected as much as $900,000 per day1 , the Chameleon Botnet up to $200,000 per day2, and HummingBad up to $10,000 per day3 .

methbot revenues - Methbot Ad Fraud

Inorder to avoid detection, developer group implemented array of operations. More than the normal botnet it involves attacks on existing IP addresses and piggybacking on residential computers.

With these forged IP registrations has allowed the Methbot operation to evade typical datacenter detection methodology. This marks an innovation that transcends beyond traditional botnets, allowing Methbot to scale beyond anything the industry has seen before and placing it in a new class of bot fraud.

Methbot Ad Fraud Profit Machine

Since both human audiences and premium publisher inventory are in high demand, Methbot Ad Fraud focuses on manufacturing both of these as its product.

By supplying faked audiences and hijacking the brand power of prestigious publishers through faked domains and falsified inventory.

methbot profit machine - Methbot Ad Fraud

Methbot – Technical Analysis

Bot Characteristics

Methbot uses it’s own customised software’s with a pool of dedicated IP address. White Ops  team detection technology was able to use a JavaScript language feature called “reflection” to gather extensive, detailed information about its inner workings.

The bot runs under Node.js, and uses several open source libraries to add other features. It operates primarily on a large scale multi-data center distributed system to leverage parallel, reliable, and redundant operations.

Some open source libraries and tools used in the bot include:

  • Tough-cookie for preserving session data between executions.
  • cheerio for parsing HTML.
  • JWPlayer for running ad tags and requesting video advertisements.
  • Node.JS

Chrome is the browser identity of which White Ops detected the highest volume, including minor versions 53 and 54. Firefox 47, Internet Explorer 11 and Safari 9.1 and 9.2 are also represented. Methbot operators also spoofed operating system including Windows 10 — and some older versions — and several versions of Mac OS X from 10.6 to 10.12.1.

To date White Ops has observed 250,267 distinct URLs across 6,111 distinct domains that were generated by Methbot in the act of impersonating a user visiting a web page.

Sample of Methbot generated URLs

To find a complete list of URL’s.

  1. http://ibtimes.co.uk/video
  2. http://vogue.com/video
  3. http://economist.com/video
  4. http://espn.com/video
  5. http://www.cbssports.com/CBS_Air_Force_Falcons_Fall_Gear
  6. http://fortune.com/2016/09/28/department-stores-closings/
  7.  http://foxnews.com/video 

Methbot form

  • 8,000 – 1,200 dedicated Methbot servers.
  • Distributed system to leverage parallel, reliable, and redundant operations.
  • Browser impersonation to resolve against fabricated premium domains.
  • Forged browser aspects including objects like screen information, plugin list, built in functions, and supported events
methbot farm - Methbot Ad Fraud

Financial knock

White Ops consulted with AD/FIN, a programmatic media intelligence company, for representative cost data on the Methbot URL list.The analysis produced through this partnership showed that Methbot Ad Fraud generated ad impressions sell for anywhere from $3.27 CPM to $36.72 CPM.

The average CPM for URLs manufactured by Methbot was $13.04. The financial repercussions of Methbot continue to reverberate through the industry.

Since early October 2016 White Ops estimates it has been running at a daily rate of 200 million to 300 million impressions per day.AD/FIN’s CPM data places a value of this daily activity between $3 million and $5 million dollars per day.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles