Russian criminals are using a system dubbed Methbot to steal up to $5 million from media companies and marketers each day. White Ops, the digital security company that discovered the scheme, described it as “the largest and most profitable ad fraud operation to strike digital advertising to date.”
Methbot works by using “an army of automated web browsers run from fraudulently acquired IP addresses” to watch up to 300 million video ads each day. You might say that Methbot is the one who watches, if only because every mention of methamphetamine is legally required to be followed by a Breaking Bad reference, and in watching all these videos it tricks advertising companies into shelling out millions of dollars to the bot’s operators.
The scheme is said to be powered by 800 to 1,200 servers in the United States and the Netherlands using 571,904 dedicated IP addresses. Methbot uses all these resources to masquerade as premium websites–of which Methbot targeted and spoofed more than 6,000–to fool advertisers into thinking expensive ads were being viewed hundreds of millions of times. The end result: a transfer of funds between US companies and Russian criminals.
Many advertising platforms take steps to defend themselves from these schemes. Methbot differs from previous efforts in that it uses sophisticated techniques, from masking an IP’s location and using social networking accounts to faking mouse clicks and using countermeasures for many popular ad systems, to evade detection so it can rake in the fraudulently earned money without having to worry about marketers catching on to its scheme.
But perhaps Methbot’s best defense is the convoluted systems on which advertising platforms rely. Here’s how White Ops explains the issue in its report (PDF):
The current complexity, interconnectivity, and resulting anonymity of the advertising ecosystem enabled the Methbot operators to exploit the entire marketplace. An impression may pass through many hands before it lands on a page and the ad is served. Tracing that complete path back through the various marketplaces proves difficult due to walled gardens, reselling, competing interests, and limitations on human capital to devote to this initiative.
This problem isn’t unique to the ad industry. Online services have turned into black boxes that few people ever get to peek inside. This is great for the companies that run these perpetual revenue machines, but it also makes it harder to figure out what someone might be able to exploit for their own benefit. Bug bounty programs can incentivize people to investigate these complicated systems, yet that isn’t always enough to make them secure.
There’s also the problem of cyber criminals having more resources at their disposal. This time the fraud was perpetrated using dedicated servers–what if next time it uses Internet of Things (IoT) devices modified to make ad companies think an internet-connected toaster is watching a video? IoT products have already been used to take big websites offline, but it would be more profitable to use them to make millions of dollars every day.
But for now, ad companies have to focus on beating Methbot. (Perhaps they should consider kidnapping its protégé-slash-surrogate-son. Cough.) White Ops is helping that effort by publishing a list of IP addresses known to be used by the bot; letting ad companies know what domains have been spoofed, and partnering with the Trustworthy Accountability Group so it can help as many affected businesses handle Methbot’s onslaught as possible.