Methbot ad fraud ring nets millions of dollars a day

Russian fraudsters running a massive bot farm for fake video advertising are reaping between US$3 million (A$4.14 million) to US$5 million a day, security researchers have found.

Premium sites such as The Economist, ESPN, CBS Sports, Vogue, Fortune, Fox News and International Business Times have been targeted by the Methbot bot farm, security vendor White Ops said.

The massive revenue figure makes Methbot the biggest ad fraud operation discovered so far. Other malware-based fraud campaigns like ZeroAccess and Chameleon, in comparison, earnt criminals hundreds of thousands of dollars a day.

White Ops spotted Methbot, so named as a result of frequent "meth" references in code captures, in September last year. The company said [pdf] it noticed a small amount of automated web traffic featuring a unique bot signature, and quarantined and monitored it.

Methbot impersonates established websites and fabricates video inventory, White Ops said. It then fakes clicks on ads, as well as mouse movements and social network login information, and manipulates geolocation to appear as human consumers to avoid detection. 

The fraudsters have gone as far as writing a full http library and browser engine with Flash support, running under Node,js, as part of detection avoidance techniques.

White Ops estimated Methbot's infrastructure to span 800 to 1200 dedicated servers in American and Dutch data centres, using over 570,000 IP addresses.

Methbot is able to generate 200 to 300 million video ad impressions on fabricated inventory, White Ops said. Over quarter of a million unique, spoofed URLs are used to falsely represent inventory.

Apart from the technical sophistication of Methbot, the fraudsters have been able to take advantage of the complex and non-transparent advertising ecosystem on the internet to exploit the marketplace, White Ops said.

The researchers said it was difficult to trace impressions, as they pass through many hands before landing on the page serving ads, making fraud detection hard. Closer relationships between publishers and advertisers can reduce the obfuscation and increase transparency to help combat fraud, White Ops said. 

Methbot remains active, but White Ops did not say which advertisers it had targeted and spoofed.