1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

$3-5M in Ad Fraud Daily from ‘Methbot’

Discussion in 'BlackHat Lounge' started by Asif WILSON Khan, Dec 22, 2016.

  1. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Jr. VIP

    Joined:
    Nov 10, 2012
    Messages:
    12,629
    Likes Received:
    34,785
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:
    New research suggests that an elaborate cybercrime ring is responsible for stealing between $3 million and $5 million worth of revenue from online publishers and video advertising networks each day. Experts say the scam relies on a vast network of cloaked Internet addresses, rented data centers, phony Web sites and fake users made to look like real people watching short ad segments online.

    Online advertising fraud is a $7 billion a year problem, according to AdWeek. Much of this fraud comes from hacked computers and servers that are infected with malicious software which forces the computers to participate in ad fraud. Malware-based ad fraud networks are cheap to acquire and to run, but they’re also notoriously unstable and unreliable because they are constantly being discovered and cleaned up by anti-malware companies.

    Now researchers say they’ve uncovered a new class of ad robot or “bot” fraud that was designed from the ground up to keep its nose clean — running not on infected hosts but instead distributed across a vast, rented network of dedicated Web servers and computers.

    [​IMG]
    The Methbot ad fraud infrastructure. Image: White Ops.

    According to White Ops, a digital advertising security company based in New York City, those rented computers are connected to a network of more than 570,000 Internet addresses apparently leased or hijacked from various sources.

    White Ops dubbed the video ad fraud network “Methbot,” and says the individuals at the helm of this network are spending upwards of $200,000 a month just maintaining a fully automated fraud network that imitates real Web site publishers showing real viewers video-based advertisements.

    Ryan Castellucci, principal security researcher at White Ops, said Methbot’s coders built many of the fraud network’s tools from scratch — including the Web browser that each rented computer in the network uses to mimic Web sites displaying video ads. Spoofing actual news Web sites and other popular video-rich destinations, Methbot requests video ads from ad networks, and serves the ads to a vast array of bots that “watch” the videos.

    To make each Web browsing session appear more like one generated by a human, Methbot simulates cursor clicks and mouse movements, and even forges social network login information so that it appears the user who viewed the ad was logged in to a social network at the time.

    “This has allowed Methbot to scale to beyond anything the industry has seen before, putting it in a new class of ad fraud.”

    “They’ve written their own browser from scratch in Javascript, and this allows them to arbitrarily control the information that gets fed back to the ad networks and to companies like us who try to detect this stuff,” Castellucci said. “This has allowed Methbot to scale to beyond anything the industry has seen before, putting it in a new class of ad fraud.”

    Interestingly, the registration records for virtually all of those Internet addresses have been forged so they appear to be controlled by some of the world’s largest Internet service providers (ISPs).

    For instance, one of the many Internet addresses White Ops says was used by Methbot — 196.62.126*117 — is registered in October 2015 to AT&T Services Inc., but the contact address is “[email protected]” (the letter “o” is a zero). Adw0rd is no doubt a play on Google Adwords, an online advertising service where advertisers pay to display brief advertising copy to Web users.

    Another address tied to Methbot — 196.62.3*117 — is registered to the same [email protected] account but also to “Comcast Cable Communications, Inc.” Records for another Methbot IP — 161.8.252.* — says the address is owned by “Verizon Trademark Services LLC.

    Whoever dreamed up Methbot clearly spent a great deal of time and money building the fraud machine. For example, White Ops says the address space alone used by this ad fraud operation has a current market value of approximately $4 million. A full list of the 570,000+ Internet addresses used by Methbot is published in the White Ops report page.

    “Methbot operators invested significant time, research, development, and resources to build infrastructure designed to remove these limitations and provide them with unlimited scale,” White Ops said in its report. “They created dedicated data centers to support proxy networks in order to hide the single origin source of their operation. This is the first time we’ve seen data centers impersonating residential internet connections. This makes the scale of this operation virtually unlimited, with none of the typical durability issues of maintaining a constant base of infected user machines.”

    [​IMG]
    Methbot is thought to have helped steal quite a bit more ad revenue than malware-based ad bots that came before it. Source: White Ops.

    White Ops said it estimated the earning potential of Methbot by looking at the number of phony video ad impressions it could serve up and the average cost to advertisers for displaying those ads. Assuming an average CPM (cost per mille, or per thousand number of impressions) of $13, the company estimates Methbot has the ability to serve between two million and three million impressions each day, with a daily revenue ranging from $2.6 million to $5.2 million.

    WHO RUNS METHBOT?
    White Ops’s report doesn’t delve much into the possible actors behind this ad fraud network, but there are a couple of tantalizing clues in their findings. White Ops found that the Methbot network originally used a program called Zombie to test the ad code in a simulated Web browser environment, but that later the Methbot team built their own Javascript-based browser. The report also notes that Methbot employs a program called “Cheerio” to parse the HTML rendered by the video ads.

    Both Zombie and Cheerio show up in this October 2015 discussion thread on the Russian-language tech forum pyha[dot]ru. That thread was started by a developer using the nickname “adw0rd,” the same nickname listed in the phony ISP internet address ranges used by Methbot. A glance at adw0rd’s profile on pyha[dot]ru shows the user is from St. Petersburg, Russia and that his email is [email protected].

    The “contact” page for adw0rd[dot]com (again, with a zero) includes that same email address, and says the account belongs to a software developer named Mikhail Andreev. That page at adw0rd.com says Andreev also has the account “adw0rd” on Facebook, Google, Twitter, LinkedIn, Github and Vkontakte (a Russian version of Facebook). A look back at programming projects dating to 2008 for adw0rd can be found via archive.org. Andreev did not respond to requests for comment.

    The “abuse” contact email address listed on many of the Internet address ranges that White Ops tied to Methbot was “[email protected],” someone who appears to have at least at one time acted as a broker of Internet addresses. That same “stepanenko” email address also appears on the official contacts page for an Alexey A. Stepanenko, senior manager of support group IT management systems within the telecommunications infrastructure at Magnitogorst Iron & Steel Works, the third largest steel company in Russia.


    https://krebsonsecurity.com/2016/12/report-3-5m-in-ad-fraud-daily-from-methbot/
     
    • Thanks Thanks x 11
  2. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    12,778
    Likes Received:
    11,430
    Occupation:
    COINZ
    Location:
    BUYAH
    Home Page:
    Is White Ops a well known company? They have a lot of resources in order to investigate at that scale.
     
  3. Reaver

    Reaver Jr. VIP Jr. VIP

    Joined:
    Aug 6, 2015
    Messages:
    1,904
    Likes Received:
    5,466
    Gender:
    Female
    How are they getting paid?
     
  4. BloodyNinja

    BloodyNinja Power Member

    Joined:
    Oct 28, 2013
    Messages:
    605
    Likes Received:
    586
    Location:
    Deeptown
    hmm.... everything described in the article is relatively easy to program and perform with Multiloginapp. Makes me wonder what some users of the software with a big number of requests are doing :)
     
  5. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Jr. VIP

    Joined:
    Nov 10, 2012
    Messages:
    12,629
    Likes Received:
    34,785
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:
    • Thanks Thanks x 1
  6. Jeffersontalks

    Jeffersontalks Regular Member

    Joined:
    Aug 16, 2016
    Messages:
    498
    Likes Received:
    215
    Gender:
    Male
    Occupation:
    Professioanl Blackhatters
    Location:
    Planet Earth
    Home Page:
    Advertisers are fool. They should have stop paying Adword or any other ads the moment they realise the conversion rate is not there. I never believe in investing long term to see result for paid advertising. I expect immediate profitability.
     
  7. elavmunretea

    elavmunretea Elite Member

    Joined:
    May 14, 2016
    Messages:
    1,732
    Likes Received:
    2,313
    Home Page:
    I never thought about using a botnet of sorts for BTC mining, that really is ingenious.

    As to the Ad fraud, the issue with it is that the advertisers don't really give a shit, because they're earning from it. It's just the small companies who are none-the-wiser that take a loss from it. It takes a lot of resources to run an operation like that. Maybe they are state-funded?
     
  8. Neon

    Neon BANNED BANNED Jr. VIP

    Joined:
    Nov 3, 2013
    Messages:
    3,107
    Likes Received:
    7,706
    Gender:
    Male
    [​IMG]
     
    • Thanks Thanks x 5
  9. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Jr. VIP

    Joined:
    Nov 10, 2012
    Messages:
    12,629
    Likes Received:
    34,785
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:
    • Thanks Thanks x 2
  10. Nut-Nights

    Nut-Nights Jr. VIP Jr. VIP

    Joined:
    Jun 20, 2013
    Messages:
    5,634
    Likes Received:
    3,529
    Location:
    Hell
    Home Page:
    How i can earn $5 a day from this ? Please guide.
     
    • Thanks Thanks x 1
  11. Reaver

    Reaver Jr. VIP Jr. VIP

    Joined:
    Aug 6, 2015
    Messages:
    1,904
    Likes Received:
    5,466
    Gender:
    Female
    Lol I got that part. I mean if they set up fake sites for fake advertising then obviously they had fake accounts to wire the money to, right? Just wondering what they used to get paid. Bank transfers? Paypal? Bits of string?

     
    • Thanks Thanks x 1
  12. Sherbert Hoover

    Sherbert Hoover Jr. Executive VIP Jr. VIP

    Joined:
    Dec 26, 2010
    Messages:
    1,300
    Likes Received:
    10,858
    Methbot would be an awesome name for a robotic redneck super villain.
     
    • Thanks Thanks x 5
  13. dabandit

    dabandit Junior Member

    Joined:
    Feb 21, 2008
    Messages:
    143
    Likes Received:
    53
    Branding campaigns. They're ran not for profitability, but brand awareness. You can always tell when a big company like Walmart enters the minefield.
     
  14. frenchboy

    frenchboy Power Member

    Joined:
    Aug 19, 2008
    Messages:
    761
    Likes Received:
    1,340
    What network were they scamming? Adsense?
     
    • Thanks Thanks x 1
  15. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Jr. VIP

    Joined:
    Nov 10, 2012
    Messages:
    12,629
    Likes Received:
    34,785
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:
    Unsure, possibly in the full report but they would have appeared legit, so depending on the services used, both bank transfer and paypal I imagine.
     
  16. Reaver

    Reaver Jr. VIP Jr. VIP

    Joined:
    Aug 6, 2015
    Messages:
    1,904
    Likes Received:
    5,466
    Gender:
    Female
    :( I was really hoping for bits of string.
     
    • Thanks Thanks x 1
  17. Neoalb

    Neoalb Power Member

    Joined:
    Jul 2, 2016
    Messages:
    650
    Likes Received:
    187
    Gender:
    Male
    Maybe the new limits that will apply after December 31st were caused by this?
     
  18. BloodyNinja

    BloodyNinja Power Member

    Joined:
    Oct 28, 2013
    Messages:
    605
    Likes Received:
    586
    Location:
    Deeptown
    Not really. They are related to the public introduction of API.
     
  19. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    12,778
    Likes Received:
    11,430
    Occupation:
    COINZ
    Location:
    BUYAH
    Home Page:
    Good question. Was it their own network??? They were selling ads direct and defrauding their own customers? Or was it a 3rd party network like google.?
     
  20. aa33030

    aa33030 Regular Member

    Joined:
    Mar 11, 2011
    Messages:
    295
    Likes Received:
    34
    Location:
    United States
    Home Page:
    I always wondered how expressvisits.com's google organic traffic got those U.S. residential ips.
    Human like simulation (even though it was repetitious) but 0 conversions, I knew it was fake U.S. traffic