Methbot is a state-of-the-art ad fraud infrastructure, capable of hosting legitimate videos and serving them to 300 million fake viewers a day. Each view earns the criminals about $13, translating to around four million dollars a day. Over the past few months, Methbot has pulled in an estimated $180 million. It represents one of the most sophisticated and elaborate ad-fraud networks ever seen.
Targeting Web Advertising
Video advertising is big business. Video ads on top-visited web sites command the highest prices in digital advertising. Hosting these videos and then bringing in massive viewers is extremely lucrative. Methbot hosts these videos, on what appears to be a top ranked site, then brings in millions of fake ‘views’. This earns them advertising rates for the CPM (Cost per Thousand) of views. Depending on the site, CPM’s ranged from $3 to $36 per thousand views. The victims are those companies who pay for legitimate views of their marketing videos, but in actuality get no real people paying attention for their financial investment.
Imagine you are a company looking to promote a new product. You decide to create a marketing video and advertise on Internet sites. You want visible sites, with lots of visitors. Specifically, you want customers in your geography and would prefer those who are active in social media. They might amplify your ads or talk about how they like your products. You go through an advertising agency who makes your promotional video available to the masses of potential websites. You agree on a price you will pay for legitimate viewer ‘impressions’ who watch your video. Based upon your budget you set a CPM of $10. So for any site which aligns to your desired market, you will pay $10 for every thousand people the site convinces to watch your video. Sounds fair. This is what advertising is about.
Then Methbot shows up. It takes your nice video and places it on hundreds of sites which match your desired market. Then like magic, as you had hoped, millions of visitors start watching your video! You are of course excited. Every day 1 million people are watching and being influenced by your marketing video. Surely sales will go up. Paying the $10,000 advertising fee per day (1 million impressions / 1000 X $10) is absolutely worth it. It is what you wanted, except sales don’t go up. All those ‘impressions’ don’t seem to have the desired effect, because no real person actually watched your video. They were hosted on specially crafted sites and visited only by robots made to appear as potential customers of your product, in the right geography, logged into social media, and even moving the mouse around. You pay for advertising and get nothing in return. Welcome to the Ad-fraud attention economy.
The size and complexity of this criminal endeavor is mind shattering. Methbot is a multipart set of tools, servers, fraudulent IP registrations, and software manipulations, all combined for a single purpose: to defraud the web advertising economy with maximum effect.
At its core, Methbot created phony users that appeared to view advertising videos hosted on their site, so they would earn money from the ‘impressions’ that would be tabulated. To accomplish this, the organized criminals had to create a massive infrastructure that worked together at scale. It forged network address credentials to make it appear the users were from preferred geographies, thereby increasing the costs they could charge. It created 250,000 counterfeit web pages, that nobody was actually visiting, just to host the legitimate videos. The attackers purchased over six-thousand domains for these websites, so as to appear as if they were part of coveted web properties. Again, to boost the CPM rates. It is estimated that between 8k to 12k dedicated servers were running customized software to generate 300 million fake video impressions daily. This software spoofed users web browsers, mouse activity, and even went as far as to make it look like these users were logged into their Facebook accounts to make the scam believable. All fake.
The investment of time, resources, and up-front costs was likely very substantial. Creating, testing, and launching a fraud network of this size is a big undertaking. There is likely an organized team of professionals behind Methbot.
Ad Networks Need to Rethink their Processes
Online advertising networks have always been targeted by fraudsters, but have not ever seen anything at this scale. The infrastructure itself was focused on video ads, but easily could be directed at just about any type of web advertising with the same result. The ad networks will need to adjust their practices, tools, and processes in order to compensate with this level of fraud sophistication.
Methbot was so powerful, in part, due to its conformance to the VAST protocol that dominates the Video ad industry. VAST (video Ad Serving Template) is a specification created by the Interactive Advertising Bureau (IAB). The latest VAST version 4.0 was released in January of 2016. It is a web structure that allows for the monetization of digital videos in the advertising marketplace. It allows for ads to be published by sites and tracks the impressions in exchange for payment. The criminals were savvy in using the VAST based networks to get and service contracts in an automated fashion. It allowed them to scale quickly.
Huge recognition goes to the team at WhiteOps for detecting and investigating this criminal infrastructure. WhiteOps has conducted an excellent investigation for the nodes and networks they can see. It is very likely this goes well beyond their vision horizon. Law enforcement will likely need to continue to uncover where the boundaries really are. WhiteOps has published an easy-to-read whitepaper, list of compromised IP addresses, spoofed domains, IP ranges, and a full list of URL’s. Such information will help all interested parties to understand if they have been scammed and how to block this current incarnation of Methbot.
Initial findings by WhiteOps, pointed the finger to cybercriminals based out of Russia. But they did not release any specific supporting data, opting to keep it private at the moment. Likely to be provided to authorities as part of attribution aspects of the investigation.
Authorities will have an interesting time pursuing those behind it. First, they will need to understand the overall scope and assets involved. Shutting down the fraudulent engine is the immediate priority, while maintaining all necessary evidence. Figuring out who is behind it and tracking the money will be the next step. Victims will want reparations. Pursuing the criminals, having them arrested, and extradited if necessary will be the final hurdle to begin formal prosecution proceedings.
The cybercriminals who setup Methbot are organized, skilled, knowledgeable, and brazen. They have successfully brought to life a money factory for fraud. Although active for almost 2 months, I suspect the criminals expected it to remain undetected for much longer. Methbot is a massive investment and undertaking. I expect the organized criminals behind it to remain active, adapt to their discovery, and continue to use their resources to continue fraudulent activities at a spectacular level. I think Methbot version-1 will be impacted and to some extent dismantled, but I am confident there will be a Methbot v2 infrastructure which will rise from the ashes. Whomever this cybercriminal team is, they are too good to just roll-over and give up.
For more such intel Modern Code and tools from Intel, please visit the Intel® Modern Code