Tremendous Ad Fraud ‘Methbot’ : Attackers earn $3-5M Every day

What is Methbot Ad Fraud?

Methbot was hosted and controlled by a hacker group in Russia and Operating out with data centres in US and Netherlands. It was also nicknamed as “methbrowser,” , because it has a fake browser which redirect’s itself.

These “bot farm” generates approximately $3 to $5 million per day by targeting the premium video advertising ecosystem. Experts from Whiteops detected and blocked the malicious  activity generated by Methbot on behalf of their customers.

Overview of Methbot behaviour

Volume and Estimated Financial Impact

• Advanced Techniques to Avoid Detection Operational Infrastructure
• $3 to $5 million in revenue per day for its operators.
• CPMs ranged from $3.27 to $36.72 with the average being $13.04.
• 200 – 300 million video ad impressions generated per day on fabricated inventory.
• 250,267 distinct URLs spoofed to falsely represent inventory.
• 6,111 premium domains targeted and spoofed.
• High value marketplaces targeted including PMPs.

Operation Infrastructure

• 571,904 dedicated IPs, many falsely registered as US ISPs .
• 800 – 1,200 dedicated servers operating from data centres in the United States and the Netherlands

Advanced Methods to Avoid Detection

• Faked clicks, mouse movements, and social network login information to masquerade as engaged human consumers.
• Manipulation of geolocation information associated with the IP addresses under their control.
• Special case countermeasures against code from over a dozen different ad tech companies.
• Fully custom HTTP library and browser engine with Flash support, all running under Node.js.

Impact of the Methbot is unmatched, by fabricating  as much as $5 million in video advertising inventory per day

Methbot far exceeds the financial damages done by previously discovered botnets. ZeroAccess is thought to have collected as much as $900,000 per day1 , the Chameleon Botnet up to $200,000 per day2, and HummingBad up to $10,000 per day3 .

Inorder to avoid detection, developer group implemented array of operations. More than the normal botnet it involves attacks on existing IP addresses and piggybacking on residential computers.

With these forged IP registrations has allowed the Methbot operation to evade typical datacenter detection methodology. This marks an innovation that transcends beyond traditional botnets, allowing Methbot to scale beyond anything the industry has seen before and placing it in a new class of bot fraud.

Methbot Ad Fraud Profit Machine

Since both human audiences and premium publisher inventory are in high demand, Methbot Ad Fraud focuses on manufacturing both of these as its product.

By supplying faked audiences and hijacking the brand power of prestigious publishers through faked domains and falsified inventory.

Methbot – Technical Analysis

Bot Characteristics

Methbot uses it’s own customised software’s with a pool of dedicated IP address. White Ops  team detection technology was able to use a JavaScript language feature called “reflection” to gather extensive, detailed information about its inner workings.

The bot runs under Node.js, and uses several open source libraries to add other features. It operates primarily on a large scale multi-data center distributed system to leverage parallel, reliable, and redundant operations.

Some open source libraries and tools used in the bot include:

• Tough-cookie for preserving session data between executions.
• cheerio for parsing HTML.
• JWPlayer for running ad tags and requesting video advertisements.
• Node.JS

Chrome is the browser identity of which White Ops detected the highest volume, including minor versions 53 and 54. Firefox 47, Internet Explorer 11 and Safari 9.1 and 9.2 are also represented. Methbot operators also spoofed operating system including Windows 10 — and some older versions — and several versions of Mac OS X from 10.6 to 10.12.1.

To date White Ops has observed 250,267 distinct URLs across 6,111 distinct domains that were generated by Methbot in the act of impersonating a user visiting a web page.

Sample of Methbot generated URLs

To find a complete list of URL’s.

1. http://ibtimes.co.uk/video
2. http://vogue.com/video
3. http://economist.com/video
4. http://espn.com/video
5. http://www.cbssports.com/CBS_Air_Force_Falcons_Fall_Gear
6. http://fortune.com/2016/09/28/department-stores-closings/
7. http://foxnews.com/video

Methbot form

• 8,000 – 1,200 dedicated Methbot servers.
• Distributed system to leverage parallel, reliable, and redundant operations.
• Browser impersonation to resolve against fabricated premium domains.
• Forged browser aspects including objects like screen information, plugin list, built in functions, and supported events

Financial knock

White Ops consulted with AD/FIN, a programmatic media intelligence company, for representative cost data on the Methbot URL list.The analysis produced through this partnership showed that Methbot Ad Fraud generated ad impressions sell for anywhere from $3.27 CPM to $36.72 CPM.

The average CPM for URLs manufactured by Methbot was $13.04. The financial repercussions of Methbot continue to reverberate through the industry.

Since early October 2016 White Ops estimates it has been running at a daily rate of 200 million to 300 million impressions per day.AD/FIN’s CPM data places a value of this daily activity between $3 million and $5 million dollars per day.