White Ops Blows The Lid Off A $1 Billion-Plus Russian Botnet

whiteopsmethbotMeet Methbot, the Russian hacking operation that’s costing advertisers between $3 million and $5 million a day.

At the very least, that’s a little over $1 billion a year – a hefty chunk of the ad industry’s estimated $7.2 billion annual ad fraud problem.

White Ops first uncovered the browser-based botnet in September 2015, when it was a minor operation, and continued tracking its evolution and various iterations through October 2016, when it started to ramp up its volume significantly.

Methbot’s fraud of choice: gaming high-CPM full-size video inventory.

(The name “Methbot” is a mystery. It appears to be the name the hackers themselves chose for their creation. White Ops noticed it woven into the code of the botnet’s malware signature.)

White Ops consulted with digital analytics and programmatic media intelligence company AdFin to figure out the real value of the inventory on the sites being spoofed by Methbot – an average CPM of just over $13.

By combining that information with the amount of traffic it was observing, White Ops estimated that Methbot was sucking up between $3 million and $5 million a day in US ad spend.

The bad actors behind Methbot clearly have a deep and highly developed understanding of how the programmatic advertising ecosystem operates.

“It was layers of sophisticated on top of layers of sophistication – it blew us away,” said White Ops CEO and co-founder Michael Tiffany, with grudging professional admiration for his adversary.

Most botnets comprise a network of real people’s computers that are infected by malware, with cybercriminals at the helm, so perpetrators have to infect new computers when their malware is discovered.

Methbot took a different approach, forging nearly 600,000 IP address registrations and associating them with internet services providers in the US – including Verizon, Comcast and Spectrum – to make the traffic look like it was coming from real homes spread out across America.

The bot operators created more than 250,000 fake web pages with counterfeit inventory from over 6,000 top-line publishers, including The Economist, The Huffington Post, Vogue, ESPN, Fox News and CBS Sports.

The fake sites were very convincing. The browser’s address bar was rigged so that anyone looking at it would see what seemed like a legitimate URL.

The automated Methbot browsers generated between 200 million and 300 million bogus video ad impressions per day and faked clicks, mouse movements and social login information as a way to hoodwink anti-fraud vendors.

A lot of this activity took place on the open exchange, which gave Methbot the cover it needed to commit its crimes. Methbot also insinuated itself into private marketplace deals, which are generally believed to be fraud-free and more brand-safe.

Because there aren’t authorized reseller programs for online inventory, no one bats an eye when various third parties and ad networks have access to inventory from primo websites – or what appear to be primo websites, said Tiffany.

michaeltiffany“The Methbot operators take advantage of that fact,” he said. “The ultimate source of truth about where an advertising opportunity is happening is in the browser – but if you carefully rig the browser to lie about that, there is almost no defense.”

That’s because the notion of “let the buyer beware” doesn’t apply here. Some publishers are duped into buying bad traffic, and some do it with their eyes open, looking the other way. But in this case, the publishers that were victimized had no idea their sites were being spoofed.

White Ops is working with the Trustworthy Accountability Group to coordinate an industry-wide action against Methbot. Although Tiffany was prohibited from going into details about their efforts, he was able to say that White Ops is “in contact with federal law enforcement.”

Fraudsters are generally nimble, slippery and anonymous. Catch them and they dissolve into the night, only to almost immediately set up a new operation. For the moment, the risk/reward ratio of ad fraud makes it a far more attractive playground than other more regulated areas like banking, credit card fraud or identity theft.

“Ad fraud is one of the few places where you can have recurring revenue for cybercrime with little risk,” said Tamer Hassan, CTO and co-founder of White Ops.

But although Methbot was an elite operator in this space, its sophistication is also its Achilles’ heel.

Falsifying and commandeering an army of hundreds of thousands of fraudulent IP address – the buttress propping up the entire scheme – is not easily replicable, Tiffany said. It took years for Methbot to ramp up, and putting it out of commission could turn off the spigot on around one-seventh of annual global ad fraud losses.

“When players in the programmatic space know to stop trafficking to these IP address, we’re going to be able to take this thing down – this operation will truly not be able to recover,” said Tiffany, who noted that White Ops is making all of the data it has on Methbot available on its website, including the 6,000 odd hacked publisher domains and roughly 600,000 compromised IP addresses.

But Tiffany declined to say whether law enforcement will be looking to prosecute the hackers. That could be a complicated process, considering that Methbot is an international operation, with data centers in Amsterdam and the US in addition to its headquarters in Russia.

Even if the specific hackers behind Methbot aren’t prosecuted, though, outing Methbot’s methods brings the industry one step closer to making ad fraud into a manageable problem.

“Measures like this alter the economics of bot fraud in a way that starts to make it unattractive,” Tiffany said. “How can we make a $7 billion problem shrink by many orders of magnitude so that it’s only a, say, $70 million problem? Some people will still do it, but it won’t attract genius-level operators.”

Genius-level operators using their ill-gotten gains for undoubtedly unsavory purposes. In essence, international crime indirectly funded by CPG brands, auto brands and brand name retailers.

“Sometimes, ad fraud is lumped in with other forms of waste or inefficiency or even quality issues, but it really is categorically distinct,” Tiffany said. “We’re not talking about dropping some money on the floor or whether there should be more ads above or below the fold. This is funding organized crime.”


Popular On AdExchanger Right Now:

17 Comments

  1. The scale of this always makes me wonder how the fraudsters get paid; doesn't the money eventually have to tie back to account IDs in the exchanges, get paid to US bank accounts, etc? The volume would seem to trip alarms if it was consolidating into a few accounts, or require enormous outreach and people to operate the relationship piece of the business...especially for premium, branded inventory like this.

    Reply
    • I agree with Ben,
      As long as these transactions don't ring any bells, no alarms goes off, the robbery will continue. 3-5M/day USD were trafficked to some accounts, how hard can it be to trace them?

      Reply
  2. This massive fraud operation represents a significant threat to the integrity of the ecosystem, and it shows why TAG's work is so vital in bringing the digital advertising industry together to share information, adopt rigorous standards, validate best practices, and increase transparency.

    Within 24 hours of our notification by White Ops, TAG was able to alert 130 fraud compliance officers at the largest and most influential digital advertising companies and bring the vast majority of those anti-fraud leaders together to learn details of the attack and determine the appropriate action for their companies to take.

    In addition to sharing that information directly with companies, TAG is also expediting its review of the IP addresses shared by White Ops for inclusion on TAG's shared blacklist of data center IP addresses that are significant sources of fraud. Given that the most advanced feature of this operation was its forged IP space, we believe TAG’s information-sharing platform will allow responsible industry actors to mitigate the threat quickly and effectively.

    As scores of additional companies join the initial group of participants approved earlier this month to TAG's Certified Against Fraud Program, TAG will continue to build a unified defense against the criminals who steal from our industry. We deeply appreciate White Ops’ leadership in sharing this intelligence with the broader digital advertising community.

    Reply
  3. This article is great PR fluff and adding in that is the Russians ensures extra coverage. Well played White Ops. In the meantime, this bot network and the next one will eventually get blocked from the exchanges but fraud will continue. The next article on another bot network found should be a good read. Additionally, nobody will do anything about the US companies who participate in fraud (publishers, “media companies” like USA Media Holdings) or stand idly by doing only enough for appearances (SSPs, DSPs) because they wouldn’t have enough inventory if they actually blocked all fraud (not just bots).

    Reply
  4. Fraud is clearly a big issue but it is never going to be solve unless we as an industry set a common standard. Big publishers, marketplaces, ad servers and brands need to come together to create a standard fraud detection system. Ideally it should be a not for profit company (IAB) that provides its fraud detection system FREE to all advertisers, marketplaces, ad servers and publishers regardless of size. There are too many companies like White Ops, Double Verify, Forensiq, IAS and many others all claiming to be the best fraud detection company. Every few months one of these companies sends out a press release that they have found something that no one else did. This is important information for the industry to have and potentially saves the industry millions of dollars. The problem is advertisers and publishers are left wonder who is the right company to use for fraud detection. This month it must be White Ops but next month maybe IAS or Double Verify will release something and then they must be the best. The added expense of using more than one of these companies to analyze every impressions is cost prohibitive for a lot of companies. We need a standard!

    Reply
  5. Mike Bloom

    I have one question...Why did WhiteOps just watch the evolution of Methbot (since SEPTEMBER 2015) and NOT notify the publishers/agencies/brands that were being affected?

    Reply
    • If WhiteOps were following the MRC IVT Addendum then they would have been filtering this delivery in reporting all year (as we were) which protects clients assuming those numbers are used to impact billing. So, their clients should know about it already.

      If they weren't filtering this vehicle in reporting then that would be a material breach of MRC IVT Addendum requirements and would bring into question the status of their MRC accreditation for IVT. i.e. The guidelines don't allow you to sit on a known IVT vehicle for a year while you wait for the optimum time for a press piece and filter release.

      Reply
  6. "MethBrowser" (as we call it) has been delivering at volume all year, maybe WhiteOps just took on a new client, or one of their existing clients started delivering to it in October for the first time increasing their visibility into its footprint.

    Personally, I thought we were past press pieces on fraud vehicles after the awful “xindibot” report. Filtration in reporting as per MRC guidelines is all that should be needed in 2016 and potential clients should be able to easily test out different verification providers on the same test campaign before making an informed decision based on actual capabilities (VPAID 3 might help here).

    However, none of this matters when the industry still isn't following the money to cut these people out completely, and it’s not because the industry can’t do so. It is a choice to monetize that inventory even though one is aware it is suspect and that choice is made close to home (not in the former USSR). If a US based exchange has had per-Impression/IP visibility into this vehicle since 2015, but they are still accepting it, who is really to blame for the (alleged) $1 Billion loss to advertisers?

    Reply
    • I agree with Ash that the ad exchanges / SSPs are essentially complicit in this fraud. They are the ones who ultimately cut the checks. These people have been paid out large sums of money for at least a year. Let's not pretend like the rest of the video space isn't an open cesspool of fraud and horrible user experiences as well.

      Reply
    • Ben, could you tell community what is the company name that you are working at, which knew and reported such vehicle issue to it's partners?

      Reply
      • Ash is referring to Telemetry and Plan Blue. We discovered MethBrowser/MethBot well over 18 months ago and have been filtering it for our clients throughout this time. This is just one of many fraudulent vehicles we have discovered and have immunised our clients from over the years. In fact, MethBrowser/MethBot isn't even the biggest one running, the title belongs to a vehicle named 'WebCore'.

  7. Since those responsible paid to setup servers and even their nationality is known, why are they still kept anonymous or not being held accountable?

    Reply
  8. 100% the exchange/SSPs that processed these transactions responsibility. It would have been nice if names were named. They need to start to be named. We could and should have solved this 2.5 years ago: https://adexchanger.com/data-driven-thinking/exchange-fraud-prevention-should-be-simple-sellers-state-your-name/ - let's stop protecting the identities of those harboring, and cutting checks, and expose them. We need to implement practices to change the way we trade, and reverse the game today, where the other side continues to have the upper hand. Really liking what is happening within TAG, we need more of it, and we need it to accelerate.

    Reply
    • Andrew - Amen. These companies are allowed to flourish within ad networks and other open inventory sources because the people running those are making money by allowing them to flourish. Period. Full stop. One reason we are steering our clients away from banners/preroll and open programmatic inventory in general (other than that banners and pre roll suck) is that there is too much fraud and too many other, better opportunities within platforms that are not susceptible to fraud due to the economic arrangements (ie no random third parties). It would be relatively easy to identify websites that are fraudulent by cross referencing them with reliable traffic source partners. That site you never heard of getting 5MM visitors a month? It is a fake. You don't need tech to know that.

      Reply
  9. @Andrew. I agree, the story really should be about the exchanges who allowed this to occur. Unless these hackers also invested heavily in building a network of shell companies and staffed some really good biz dev people- which I highly doubt. The exchanges who were pocketing at least 50% of the revenue off these "quality" ad placements are the real ones at fault... A company pops up out of nowhere running $3-$5 million dollars a day that know has ever heard of. You don't need any tech to figure out that it's fraud.

    Reply
  10. Which firms were responsible for third party verification? Doubleverify, IAS etc expound upon the virtues of their detection protocols. They have nothing to say in regards to this? I would immediately fire these services and ask for a full refund. It's clear the professional high level creators of these systems know how to usurp the known verification platforms.

    Here is an unsettling but very true statement: Bot/NHT will always be apart of the ecosystem of online advertising. It supports to many companies at this point. It supports the publishers seeking traffic solutions to maintain a shrinking ROI. It supports the audit companies who play the role of advertising traffic cops. It supports advertisers whose distorted views on engagement can be manipulated.

    It will never go away...it will be a perpetual game of wack-a-mole.

    Reply

Add a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>