Fraud detection firm outs $1b Russian ad-fraud gang and its robo-browsing Methbot
Security

Fraud detection firm outs $1b Russian ad-fraud gang and its robo-browsing Methbot

A $1 billion Russia-based criminal gang has been bilking online advertisers by impersonating high-profile Web sites like ESPN, Vogue, CBS Sports, Fox News and the Huffington Post and selling phony ad slots, but that’s about to end.

Online fraud-prevention firm White Ops is releasing data today that will enable online advertisers and ad marketplaces to block the efforts of the group, which is cashing in on its intimate knowledge of the automated infrastructure that controls the buying and selling of video ads.

The group has been ramping up its activities since October so that it now reaps roughly $3 million to $5 million per day from unsuspecting advertisers and gives them nothing in return, says White Ops, which discovered the first hints of the scam in September.

When someone clicks on a video that’s posted to a Web page, the video is often preceded by a short advertising video known as pre-roll. The pre-roll slot is sold realtime – within 100 milliseconds – via an automated auction. That click to request the video is what initiates the ad auction, and the browser directly receives the pre-roll from the advertiser that wins, says White Ops CEO Michael Tiffany.

The system relies on information provided by the browser to verify what site the browser user is visiting and that it actually receives the pre-roll ad. “The ecosystem believes what the browser says about what site you’re at,” he says.

Beware Methobot

The gang, which Tiffany calls AFT13, has created a robo-browser called Methbot that spoofs all the necessary interactions needed to initiate, carry out and complete the ad transactions. So Methbot contacts an ad exchange and says it needs a pre-roll for a video on Vogue.com, for example. The system runs an instant auction, settles on an ad and sends it to Methbot, which verifies that it received it and played it.

Then the advertiser pays the entity the website that the browser claimed to be visiting, but that entity resolves ultimately to AFK13, not to Voguecom, in this example, he says.

Beyond this, AFK13 spoofs the geolocation of the IP addresses that the Methbot servers use so it seems they are all owned by U.S. internet service providers. The proxy IP addresses mask the fact that Methbot traffic is generated by servers as opposed to individual personal computers generating legitimate traffic. It also hides that the servers are located in data centers in Dallas and Amsterdam.

This helps Methbot duck detection mechanisms that look for a few IP addresses that generate enormous volumes of requests Tiffany says, enabling AFK13 to sell 200 million to 300 million false ad impressions per day for 1.3 cents per view on average, White Ops says. The fraud network does its work from an estimated 800 to 1,000 nodes in its data centers and operates 24 hours per day, with a sales cycle of 5 seconds per impression.

Methbot further avoids detection by selling the ads on more than 6,000 domains representing about 250,000 URLs.

To pull this all off, AFK13 has amassed an impressive infrastructure that includes:

  • The servers that generate all the Methbot browser activity.
  • A bank of 500,000 IPv4 addresses (worth about $4 million if sold on the open market).
  • A means of registering those IP addresses so they appear to be allocated to U.S. ISPs.
  • Methbot software.

The software has been upgraded over the period that White Ops became aware of it, Tiffany says. For example, White Ops first caught on to the scam when it noted a small error in an HTTP header used by the group. One value, known as Cache-Control, contained a colon, which violated the specification for that value. Since then the error has been corrected.

White Op has been blocking Methbot traffic for its customers, but the only way to stop it entirely is to release the list of URLs indicative of Methbot, the IP addresses used by AFK13 and the list of publisher domains it forges.

Tiffany says White Ops has also notified the FBI about the scam.

IDG Insider

PREVIOUS ARTICLE

«G.Skill's new Trident Z memory blends face-melting speeds with multi-colored LEDs

NEXT ARTICLE

Focused 2.2 review: Text editor with helpful Markdown tools and Zen mode to help you focus»
author_image
IDG Connect

IDG Connect tackles the tech stories that matter to you

Add Your Comment

Recommended for You

silhouette

Everything you need to know about… Tech Careers

IDG Connect tackles the tech stories that matter to you

kathryn-cave

Blockchain For Dummies: What you really need to know

Kathryn Cave looks at the big trends in global tech

martin-veitch-thumbnail

What we know and don’t know about digital transformation

Martin Veitch's inside track on today’s tech trends

Most Recent Comments

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.

images

Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.

images

Poll

Should companies have Bitcoins on hand in preparation for a Ransomware attack?