• United States



Contributing writer

Russian ‘Methbot’ scammers steal $3 to $5 mil a day by exploiting ad networks

Dec 20, 20164 mins
CybercrimeData and Information SecuritySecurity

Russian criminals are stealing between $3 and $5 million a day

A group of Russian cybercriminals is stealing between $3 and $5 million a day by diverting legitimate advertising revenues from over 6,000 brand-name websites such as ESPN, Vogue, Fortune, Fox News and CBS Sports.

The criminals do this by using legitimate data centers to run hundreds of servers pretending to be real people watching hundreds of millions of video ads a day placed on more than a quarter million domains, according to a report released this morning.

This is a very new, and very successful take on traditional click fraud, where the scammers install malware on home computers that watches the ads, and set up dummy websites stuffed with ads to collect the ad revenues.

Dubbed “Methbot” by researchers, the new scam doesn’t require the attackers to infiltrate computers or run botnets, and it doesn’t need any dummy websites.

With a botnet, criminals incur the management overhead of infecting the machines, running their malware on heterogeneous systems, and controlling it through centralized servers that are always on the verge of being shut down by law enforcement. Renting servers from data centers is easier.

“There’s a lot of uncertainly that’s taken away,” said Eddie Schwartz, president and COO at New York City-based White Ops, Inc., which produced the report. “You can manage a known configuration.”

To trick advertising networks into thinking that the ad views are coming from real people, they find blocks of IP addresses at residential ISPs like Comcast, Cox, AT&T, Verizon, and Centurylink that have been reserved by businesses but not used, said Schwartz.

They then forge documentation claiming the right to use those IP addresses and provide it to their data centers.

The data centers are legitimate, mid-sized operations located in Dallas and Amsterdam.

A custom web browser then accesses the video ads in such a way that the advertisers think that the ads are running on legitimate websites.

The criminals make money from those ads by using automated, real-time ad bidding networks to impersonate legitimate publishers.

Advertisers wind up spending millions of dollars a day on ads that are never seen by real human beings, he said.

“The publishers are victims, too,” Schwartz added. “Instead of getting the money from advertisers, the money is going to Mestbot, instead.”

White Ops has seen evidence of this network dating back to around a year, but the volumes really started to hit the radar in October, he said.

“There’s been an incredible uptick of volume,” he said. “It’s just screaming in terms of the size and the number of impressions that we see.”

Since the criminals are paying for real servers with real money, and getting real money from advertisers, there might be a way to track them.

“The old adage of follow the money is probably a good approach, but that’s a job for federal and international law enforcement to work on,” he said.

White Ops has been working with law enforce and industry groups, he said. “We’re providing them with what we know about this operation.”

That includes all the attribution information that White Ops has collected that identifies the attackers’ locations.

“Our goal now is to get the word out and try to close it down,” he said.

One industry organization, the Trustworthy Accountability Group, is already taking action.

“Within 24 hours of our notification by White Ops, TAG was able to alert 130 fraud compliance officers at the largest and most influential digital advertising companies,” said group CEO Mike Zaneis.

The group will also add the IP addresses involved to the group’s shared blacklist.

“Given that the most advanced feature of this operation was its forged IP space, we believe TAG’s information-sharing platform will allow responsible industry actors to mitigate the threat quickly and effectively,” he said. 

“This massive fraud operation represents a significant threat to the integrity of the ecosystem,” he added.