Russian ‘Methbot’ fakes 300 million video views a day, wreaking havoc on digital ads

US cybersecurity firm believes scam originated in Russia but sees no signs of state sponsorship

PUBLISHED : Wednesday, 21 December, 2016, 12:24pm
UPDATED : Wednesday, 21 December, 2016, 12:26pm

A cybersecurity firm says it has uncovered a massive online scam that employs an army of automated web browsers to siphon millions of dollars of advertising per day away from US media companies and brand-name advertisers.

The firm, New York-based White Ops, has dubbed the operation “Methbot,” because of references to meth buried in the computer code underlying the scam, and says it is the largest and most profitable fraud operation yet to strike digital advertising. The company says the scam, which it believes originated in Russia, is using a so-called bot net to fake views of as many as 300 million video ads per day and trick advertisers to pay for views that were never seen by humans.

With Russian government hacking dominating headlines around the world, White Ops CEO Michael Tiffany said this scam is probably not being run by the Kremlin even though it has enormous size and sophistication.

“We really see no signs of state sponsorship, it looks to us like this is really a private criminal group,” Tiffany said.

Tiffany said someone with a deep understanding of the industry is likely behind the scam. “This shows an incredible, absolutely insider’s mastery of digital advertising,” he said. “It requires multiple skills.”

To be sure, the White Ops report is an allegation from a single cybersecurity firm and cannot be independently verified by CNBC. Confirmation of the allegation will depend on other security firms, possibly the US government, and the online advertising industry itself. If true, the allegation means that there is significant fraud at the heart of the global online video industry.

A “bot net” is a network of computers infected with malicious code that is controlled by hackers for a purpose that can be unknown to the actual owners of the computers. They are frequently used by online scammers to ramp up the scale of a cyberattack and hide the perpetrators.

The company said the scam works because of the fragmented nature of the online advertising marketplace, in which buyers and sellers of advertising no longer know each other, or even communicate with one another. “At this point the Methbot operation has become so embedded in the layers of the advertising ecosystem [that] the only way to shut it down is to make the details public to help affected parties take action,” White Ops said in a paper released Tuesday. Tiffany told CNBC he is optimistic that the scam, which has been ongoing at high volume for several months, could be stopped by a coordinated ad industry effort. “I think we’re going to respond and take away their ability to profit in record time,” he said.

By farming out the operations across a wide network, Methbot has been able to avoid some typical detection methods, White Ops said, adding that the scam “marks an innovation that transcends beyond traditional bot nets allowing Methbot to scale beyond anything the industry has seen before and placing it in a new class of bot fraud.”

Here’s how it allegedly works:

According to White Ops, the Methbot scammers were able to generate fake records of a user’s activity online, making the bots appear to be human, even down to the level of detail of phony cursor movements and bogus social media login information. White Ops also says the Methbot operators used dedicated servers to run proxies so it would not be clear that all of this traffic was coming from one entity. And they used falsified documents to gain access to 571,904 real IP addresses, the company said, making it appear that the fraudulent ad traffic came from real Internet providers.

What’s more, the fraudsters were able to fool the advertising exchanges by offering data specifically designed to slip past known fraud detection efforts. White Ops said the Methbot operators used code specifically designed to defeat viewability measurement for both specific vendors and for spoofing industry standard measurements.

White Ops calculated that the 200 million to 300 million fake impressions per day generated between US$3 million and US$5 million per day for whoever operated the scam. In an effort to combat the fraud, White Ops said that it will release known IP addresses affiliated with Methbot, so that advertisers and their agencies can block them. And the company says it will release a falsified domain name and full URL list to show where this phony activity has been taking place.

The company also said it has been in contact with federal law enforcement about the scam.