December 20, 2016

New research suggests that an elaborate cybercrime ring is responsible for stealing between $3 million and $5 million worth of revenue from online publishers and video advertising networks each day. Experts say the scam relies on a vast network of cloaked Internet addresses, rented data centers, phony Web sites and fake users made to look like real people watching short ad segments online.

Online advertising fraud is a $7 billion a year problem, according to AdWeek. Much of this fraud comes from hacked computers and servers that are infected with malicious software which forces the computers to participate in ad fraud. Malware-based ad fraud networks are cheap to acquire and to run, but they’re also notoriously unstable and unreliable because they are constantly being discovered and cleaned up by anti-malware companies.

Now researchers say they’ve uncovered a new class of ad robot or “bot” fraud that was designed from the ground up to keep its nose clean — running not on infected hosts but instead distributed across a vast, rented network of dedicated Web servers and computers.

The Methbot ad fraud infrastructure. Image: White Ops.

The Methbot ad fraud infrastructure. Image: White Ops.

According to White Ops, a digital advertising security company based in New York City, those rented computers are connected to a network of more than 570,000 Internet addresses apparently leased or hijacked from various sources.

White Ops dubbed the video ad fraud network “Methbot,” and says the individuals at the helm of this network are spending upwards of $200,000 a month just maintaining a fully automated fraud network that imitates real Web site publishers showing real viewers video-based advertisements.

Ryan Castellucci, principal security researcher at White Ops, said Methbot’s coders built many of the fraud network’s tools from scratch — including the Web browser that each rented computer in the network uses to mimic Web sites displaying video ads. Spoofing actual news Web sites and other popular video-rich destinations, Methbot requests video ads from ad networks, and serves the ads to a vast array of bots that “watch” the videos.

To make each Web browsing session appear more like one generated by a human, Methbot simulates cursor clicks and mouse movements, and even forges social network login information so that it appears the user who viewed the ad was logged in to a social network at the time.

“They’ve written their own browser from scratch in Javascript, and this allows them to arbitrarily control the information that gets fed back to the ad networks and to companies like us who try to detect this stuff,” Castellucci said. “This has allowed Methbot to scale to beyond anything the industry has seen before, putting it in a new class of ad fraud.”

Interestingly, the registration records for virtually all of those Internet addresses have been forged so they appear to be controlled by some of the world’s largest Internet service providers (ISPs).

For instance, one of the many Internet addresses White Ops says was used by Methbot — 196.62.126*117 — is registered in October 2015 to AT&T Services Inc., but the contact address is “adw0rd.yandex.ru@gmail.com” (the letter “o” is a zero). Adw0rd is no doubt a play on Google Adwords, an online advertising service where advertisers pay to display brief advertising copy to Web users.

Another address tied to Methbot — 196.62.3*117 — is registered to the same adw0rd.yandex.ru@gmail.com account but also to “Comcast Cable Communications, Inc.” Records for another Methbot IP — 161.8.252.* — says the address is owned by “Verizon Trademark Services LLC.

Whoever dreamed up Methbot clearly spent a great deal of time and money building the fraud machine. For example, White Ops says the address space alone used by this ad fraud operation has a current market value of approximately $4 million. A full list of the 570,000+ Internet addresses used by Methbot is published in the White Ops report page.

“Methbot operators invested significant time, research, development, and resources to build infrastructure designed to remove these limitations and provide them with unlimited scale,” White Ops said in its report. “They created dedicated data centers to support proxy networks in order to hide the single origin source of their operation. This is the first time we’ve seen data centers impersonating residential internet connections. This makes the scale of this operation virtually unlimited, with none of the typical durability issues of maintaining a constant base of infected user machines.”

Methbot is thought to have made quite a bit more than malware-based ad bots that came before it. Source: White Ops.

Methbot is thought to have helped steal quite a bit more ad revenue than malware-based ad bots that came before it. Source: White Ops.

White Ops said it estimated the earning potential of Methbot by looking at the number of phony video ad impressions it could serve up and the average cost to advertisers for displaying those ads. Assuming an average CPM (cost per mille, or per thousand number of impressions) of $13, the company estimates Methbot has the ability to serve between more than 300 million impressions each day, with a daily revenue ranging from $2.6 million to $5.2 million.

WHO RUNS METHBOT?

White Ops’s report doesn’t delve much into the possible actors behind this ad fraud network, but there are a couple of tantalizing clues in their findings. White Ops found that the Methbot network originally used a program called Zombie to test the ad code in a simulated Web browser environment, but that later the Methbot team built their own Javascript-based browser. The report also notes that Methbot employs a program called “Cheerio” to parse the HTML rendered by the video ads.

Both Zombie and Cheerio show up in this October 2015 discussion thread on the Russian-language tech forum pyha[dot]ru. That thread was started by a developer using the nickname “adw0rd,” the same nickname listed in the phony ISP internet address ranges used by Methbot. A glance at adw0rd’s profile on pyha[dot]ru shows the user is from St. Petersburg, Russia and that his email is adw0rd@pyha.ru.

The “contact” page for adw0rd[dot]com (again, with a zero) includes that same email address, and says the account belongs to a software developer named Mikhail Andreev. That page at adw0rd.com says Andreev also has the account “adw0rd” on Facebook, GoogleTwitter, LinkedIn, Github and Vkontakte (a Russian version of Facebook). A look back at programming projects dating to 2008 for adw0rd can be found via archive.org. Andreev did not respond to requests for comment.

The “abuse” contact email address listed on many of the Internet address ranges that White Ops tied to Methbot was “stepanenko.aa@mmk.ru,” someone who appears to have at least at one time acted as a broker of Internet addresses. That same “stepanenko” email address also appears on the official contacts page for an Alexey A. Stepanenko, senior manager of support group IT management systems within the telecommunications infrastructure at Magnitogorst Iron & Steel Works, the third largest steel company in Russia.

Update, Dec. 23, 1:54 p.m. ET: Fixed a typo in the number of ad impressions White Ops said Methbot was able to produce daily.


98 thoughts on “Report: $3-5M in Ad Fraud Daily from ‘Methbot’

  1. paul

    How names can be exposed ehere??

    Dont we have data protection law??
    I think this not fair to have names publiced here!!!
    Some privacy should be respected

    1. Dmitry

      You can sue for that, “bro” 🙂
      OOops, what. This is a massmedia, any mentions here should be threated as opinions, not accusations. This is a freedom of speech.
      Accusations are for law enforcement people. Those FBI guys badly need some hints.

    2. luap

      They can sue for that. Oh, what, this is mass-media. Any mentions are opinions and freedom of speech and hints to FBI. Those guys need hints badly.

  2. Russian Hacker

    I think this story is a fake to amaze dilettantes.
    The only persons who make money/reputation from this story (and stories like this) are experts like Brian Krebs and whiteops.com.
    They scare people by hackers to get traffic and make money on consulting/PPC on their sites.

    1. David

      Proof, please?

      If you don’t give any proof, Krebs seems more reputable than an anonymous person on the internet.

      1. Source

        Krebs gets his story’s from Russian hackers thats a fact .But the question is How reputable is the source ? Sometimes he knows things before even Admin knows that it happened ) but sometimes he just talks Bs .

        1. Alex Beetle

          Source reputation is Krebs headache so let it be. Massmedia panic means nothing to those, who are in charge of methbot. So all those secrecies is Polichinelle one.
          Details became clear when you know where to look. Authorities can’t check each and every account and hit in the world, they don’t have infinite budget and time for it. When they finish investigation such way, crooks get old and die. As matter of fact they have to investigate and interrogate more efficiently to jail them whilst they somewhere between 30-40 y/o and he didnt spoiled all his profits to cocaine, whores, rolex and ferraris yet.

        2. s. keeling

          > “… but sometimes he just talks BS.”

          Where? “Citation needed” is most apropos here.

          My solution to ransomware:

          i) Run Linux; not Win* or Apple. No, it’s not a panacea, but is Win* or Apple? No. Hardly.

          ii) Do backups. You get boned, you’ve a (or multiples) clean copy.

          iii) Learn. It’s long past time when you could just buy stuff and expect to be safe. In the IoT era, you can’t be, because your vendor doesn’t care about you. It just cares about getting your cash and PII, the latter to share/sell to its “corporate partners.”

          iv) Your gov’t isn’t helping, and in many instances is undercutting your efforts (cf. James Comey; liar & shill).

          Brian’s proved his credentials with years of hard, accurate, factual reportage and smart work/thinking on many occasions. When you can do better, I’ll believe you; not before.

          Thanks Brian for all your hard work. Much appreciated.

          PS. I don’t do email anymore, sorry. I fell off the net last March and don’t much care about it now except to support my systems. Sorry if my email addy no longer works (I neither know nor care).

          Have fun. 🙂

      2. Russian Hacker

        Proof?

        Man, I think Mr. Kreb must give us proof with Advertising network name, bills and pyments.

        1. $4-5 million is an unrealistic investment for a typical Russian programmer/hacker. Most Russian programmers work for $500/2,000 per month. Do you believe it’s easy to find $4-5 million in Russia if you are not a Putin’s friend?

        2. Do you believe that employees at the Ad Network so stupid to pass bot traffic and pay $5,000,000 per day?

        Actually, I think that the unnamed Ad Network orchestrated this method and hired those Russian programmers to develop bots and gave money for 1200 dedicated servers and over than 500k IPv4.
        But something went wrong…
        Maybe their advertisers noticed suspicious bot traffic and claimed about that.
        As Network fabricated the story about Evil Russian Hackers ™ and contacted White Ops.

      3. Russian Hacker 2

        Man, Mr. Krebs even don’t approve my comments. He look like a story inventor.

  3. Rmac

    Can someone help me understand how they can purchase/lease all this bot farm infrastructure without being accountable and/or traceable?

    I just don’t get how you can buy hundred of data center servers and ips and use them illegally without it being obvious? What bit of the picture with that am I missing?

    1. SeymourB

      Some people, when you pay them enough, will not ask questions they otherwise would ask.

    2. Barsik

      There is a word for this and the word is criminal conspiracy.

    3. John Clark

      There are many people overseas, and in America that just don’t care. I found a network of fake staffing companies being run off of DreamHost (based in Bria California), last year. The scammer bought 20+ domains. He would target specific job seekers sending them emails from these bought domains with matching web sites. The goal was to walk the victim through fake phone interviews and then request SSN and DOB to submit the victim to a ‘client corporation.’
      I warned the DreamHost abuse staff several times showing them the threads of the scam, the posting by various victims and the DreamHost staff responded with a fu&# off. They added that they would only respond to law enforcement orders. The domains continued to exist until they expired.
      As long as the employees of the hosting companies get their paychecks, they don’t care. As long as the hosting companies executives continue to see money from the scammer/client they don’t care.
      I created a blogger site to document all that I found about this scammer at.
      https://fakestaffing.blogspot.com

      The scammer is still running with a new batch of domains hosted on American services. They are DreamHost, 1and1.com, and blue host.com.

      There is one hosting company that I warned that did shut down three domains.

  4. Mike

    I have never seen an online advertisement that was actually useful to me. They are usually dangerous if not useless. I will filter out as much advertising as I can. If ad revenue is the only or primary source of power to maintain a website, then it is a website that I don’t need anyway. It is astounding how much faster the Internet moves when ads are filtered out.

    Online advertisers do not have rights to my machines and devises given to them arbitrarily by virtue of their existence. I don’t care what they think. If it meant anything of real value, they would not allow themselves to so easily be so used by the bad guys.

  5. Barsik

    IPs analysis from WhiteOps report

    196.62.0.0-196.62.255.255
    aut-num: AS40824
    as-name: WZCOM
    descr: WZ Communications Inc.
    created: 2015-10-20T16:16:41Z

    http://search.sunbiz.org/Inquiry/CorporationSearch/SearchResults/OfficerRegisteredAgentName/Bezruchenko%20%20%20%20%20%20%20%20%20Kostyantyn/Page1
    BEZRUCHENKO, KOSTYANTYN WEBAZILLA LLC L09000073623
    BEZRUCHENKO, KOSTYANTYN DEDICATED SERVERS LLC L10000017940
    BEZRUCHENKO, KOSTYANTYN WEBZILLA INC. P09000064327
    BEZRUCHENKO, KOSTYANTYN IP TRANSIT INC P09000064840
    BEZRUCHENKO, KOSTYANTYN WZ COMMUNICATIONS INC. P09000095109

    209.192.128.0
    AS7979 SERVERS – Servers.com, Inc., US (registered Mar 11, 1997)
    http://xbt.com/company-overview.html
    webzilla + servers.com = xbt holding

    45.33.224.0
    http://ipinfo.io/AS7979/45.33.224.0/20
    ASN AS7979 Servers.com, Inc.
    ID SERVERLOGY
    Description Serverlogy Corporation

    NetRange: 64.137.0.0 – 64.137.127.255
    Organization: Network Layer Technologies Inc (NLT-150)

    179.61.233.0
    Lookup results for 179.61.233.0 from whois.lacnic.net server:

    inetnum: 179.61.233/24
    status: reallocated
    owner: Digital Energy Technologies Chile SpA
    ownerid: US-DETC4-LACNIC
    responsible: WZ Communications Inc.

  6. John

    A quick look on Mikhail Andreev’s github profile does show that he has the coding abilities and interests to build the network required for Methbot. Fits the profile for sure.

    Really impressive repositories he maintains and repositories that he’s following.

  7. John Clark

    There are many people overseas, and in America that just don’t care. I found a network of fake staffing companies being run off of DreamHost (based in Bria California), last year. The scammer bought 20+ domains. He would target specific job seekers sending them emails from these bought domains with matching web sites. The goal was to walk the victim through fake phone interviews and then request SSN and DOB to submit the victim to a ‘client corporation.’
    I warned the DreamHost abuse staff several times showing them the threads of the scam, the posting by various victims and the DreamHost staff responded with a fu&# off. They added that they would only respond to law enforcement orders. The domains continued to exist until they expired.
    As long as the employees of the hosting companies get their paychecks, they don’t care. As long as the hosting companies executives continue to see money from the scammer/client they don’t care.
    I created a blogger site to document all that I found about this scammer at.
    https://fakestaffing.blogspot.com

    The scammer is still running with a new batch of domains hosted on American services. They are DreamHost, 1and1.com, and blue host.com.

    There is one hosting company that I warned that did shut down three domains.

  8. BenjamineDupont

    After discovering my sister snooping through my phone, I needed something to guard all my messages ( and no, I don’t have anything to hide. It’s just privacy…it’s great when you have it). I wasn’t disappointed!!!! This app does everything I need it too!!! LEO Privacy is the best applock. http://bit.ly/blogleo3

Comments are closed.