A Russian hacker gang using advanced software tools is earning millions of dollars a day by faking webpages from major media companies and then charging advertisers when their videos are “played” by the hackers’ software, masquerading as real viewers.
The operation, dubbed “Methbot” by the researchers who found it, is generating as many as 300 million fake impressions per day on video ads using falsified webpages fraudulently registered and designed to resemble pages from premium publishers like ESPN, Vogue and Fortune.
More than 6,000 of these premium domains were spoofed, according to White Ops, a security firm that’s working to put the hackers out of business — and more than a quarter of a million fake pages created. Fake internet users — created by custom-written browsers and operating from half-a-million IP addresses falsely registered to U.S. internet service providers — then “watched” the ads. The browser was even designed to mimic mouse movements, social media logins and other characteristics of real users in order to fool anti-click-fraud security software and drive up the price of the impressions.
The CPM — or cost per thousand impressions — for the ads the fake Methbot users played ran from $3.27 to $36.72. The average CPM for clicks manufactured by Methbot was $13.04. With hundreds of millions of fake impressions every day, researchers calculate the hackers were earning between $2 million and $5 million every day.
The scam works, the researchers say, because of the “complexity, interconnectivity, and resulting anonymity of the advertising ecosystem,” in which ads from different companies are bundled together by automated platforms (demand side platforms, or DSPs) and sold to other automated platforms (supply side platforms, or SSPs) which distribute them to publishers.
As a result, advertisements and the clicks on them may pass through many systems and companies on their way from the advertiser to the viewer and back again. “Tracing that complete path back through the various marketplaces proves difficult due to walled gardens, reselling, competing interests, and limitations on human capital to devote to this initiative,” add the researchers.
“Methbot elevates ad fraud to a whole new level of sophistication and scale,” said Michael Tiffany, co-founder and CEO of White Ops in a statement. “The most expensive advertising on the internet is full-sized video ads, on name brand sites, shown to users who are logged into social media and who show signs of ‘engagement.’ The Russian operators behind Methbot targeted the most profitable ad categories and publishers.”
“This fraud operation represents a significant threat to the integrity of the ecosystem and we appreciate White Ops’ leadership in sharing this intelligence with the broader digital advertising community,” said Mike Zaneis, CEO of the advertisers association Trustworthy Accountability Group.
White Ops says that the number of fake clicks generated by Methbot is many times larger than prior fraud schemes that relied on hijacking real users’ computers with malicious software.
Tiffany called Methbot, so named because of references to meth in the code, “a game changer in ad fraud.”
Previously, fraudsters relied on infecting personal computers with malware, which then generated the ad clicks in the background, unbeknownst to their oblivious users.
“However, this approach has been a limiting factor because of the work needed to continually infect new home computers — especially while existing infections are being discovered and cleaned by anti-malware vendors,” WhiteOps researchers state in their report. By contrast the cybercriminals running Methbot “invested significant time, research, development, and resources to build infrastructure designed to remove these limitations and provide them with unlimited scale.”
Using falsified documents, the gang was able to obtain or lease 571,904 real IP addresses, using them to generate fraudulent ad clicks that appeared to come from legitimate U.S. residential ISPs.
“The value of these IP addresses alone is over $4 million today,” the researchers state.
The fake pages were hosted on 800-1,200 dedicated Methbot servers, rented from data centers in the U.S. and Netherlands, their real origin hidden by proxies.