Close this search box.

Written by: Mike Yang

Cybercriminals are using a sophisticated botnet operation to impersonate both websites and visitors in order to steal as much as $5 million in ad revenue per day from publishers, according to new research into the network, known as Methbot.
The botnet is enmeshed in the online ad infrastructure and has its own elaborate support system, including hundreds of thousands of forged IP addresses, hundreds of servers, and targets more than a quarter of a million separate URLs for spoofing. Researchers at White Ops, who exposed the operation, said the Methbot network is faking views on hundreds of millions of video ads each day by imitating mouse clicks and other behavior in order to mimic human interaction.
“Using an army of automated web browsers run from fraudulently acquired IP addresses, the Methbot operation is ‘watching’ as many as 300 million video ads per day on falsified websites designed to look like premium publisher inventory. More than 6,000 premium domains were targeted and spoofed, enabling the operation to attract millions in real advertising dollars,” the White Ops report says.
Researchers first identified traffic from the network more than a year ago, but it was very low volume and didn’t change much until October. Beginning in early October, Methbot traffic began to increase dramatically. Unlike some other ad fraud networks, the Methbot network has the ability to impersonate several pieces of the ad ecosystem, enabling the group behind it to generate huge amounts of money. The network spoofs premium publisher sites where ads appear and also can imitate the behavior of visitors to the sites to make it appear that they are viewing the video ads, triggering payments from the advertisers.

The group uses fake documents to obtain more than 500,000 IP addresses.

“Advertisers often rely on data stored on a user’s machine in cookies to target advertising against demographic information, browser histories, past purchases, and many other data points. Methbot operators use this industry approach to their advantage and stuff crafted cookies into fake web sessions by leveraging a common open source library which allows them to maintain persistent identities containing information known to be seen electronically as valuable to advertisers. In this way they take advantage of the higher CPMs advertisers are willing to spend on more precisely targeted audiences,” the report says.
“Methbot operators also forge tried-andtrue industry measures of humanity. Cursor movements and clicks are faked and multiple viewability measures are faked to further mimic observed trends in human behavior. Additionally, sophisticated techniques are employed to provide an even more convincing picture of humanity. Methbot forges fake social network login information to make it appear as if a user is logged in when an impression occurs.”
One of the key pieces of the Methbot operation is the use of forged IP addresses. The group uses fake documents to obtain more than 500,000 IP addresses that it then employs to hit the ads. White Ops attributes the Methbot operation to Russian cybercriminals and estimates that the scheme is generating more than 200 million fake ad impressions a day and at least $2 million per day in fraudulent revenue.
The network uses proxies on the dedicated servers it owns to help camouflage its operations and also has the ability to impersonate all of the major browsers. Some of the URLs that Methbot has been able to spoof include major media sites such as ESPN, Fortune, and Vogue, White Ops said in the report.
Image: Justin Morgan, CC By Sa license.