Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Cybercriminals Make Millions With Ad Fraud Bot Farm

Russian cybercriminals can earn up to $5 million per day through a massive ad fraud operation powered by a bot farm that uses hundreds of servers and more than 500,000 IP addresses, online fraud detection firm White Ops reported on Tuesday.

Russian cybercriminals can earn up to $5 million per day through a massive ad fraud operation powered by a bot farm that uses hundreds of servers and more than 500,000 IP addresses, online fraud detection firm White Ops reported on Tuesday.

Ad fraud typically involves malware-infected computers that cybercriminals abuse to generate fake advertising traffic. However, in the campaign observed by White Ops over the past three months, dubbed Methbot, the scammers created their own “users.”

The cybercrooks rely on 800-1,200 servers housed by data centers located in Dallas and Amsterdam, and more than 570,000 IPv4 addresses made to look as if they belong to residential ISPs in the United States. The value of these IP addresses has been estimated at more than $4 million.

Methbot uses Node.js and various open source libraries to simulate a web browser. In order to avoid being flagged by bot detection systems, it spoofs user agent strings for various browsers and operating systems, including Chrome, Firefox, Internet Explorer, Windows and Mac OS X.

Furthermore, the bot farm is capable of emulating browser windows, mouse cursor movements, clicks and even social media logins in an effort to convince advertisers that the traffic is generated by real people.

In the first phase of the operation, Methbot selects a domain or a URL from a list of premium publishers. A fake webpage that contains only the elements needed to support an ad is generated and a video advertisement is requested from an ad network using a spoofed URL matching the one of the publisher. The ad is loaded in the simulated browser through a proxy and the various human-mimicking mechanisms are enabled to trick anti-fraud systems into believing that the activity is the result of real user interaction.

Researchers said the attackers spoofed the domains of more than 6,000 publishers, including companies such as Vogue, The Economist, ESPN, Fortune, Fox News and International Business Times.

Methbot bot farm

By targeting premium video ads and making it appear as if the ad has been accessed from a high-value geographical location, the cybercriminals behind Methbot can earn between $3 million and $5 million per day, White Ops determined after consulting programmatic media intelligence firm AD/FIN. Experts said Methbot generates 200 – 300 million fake impressions every day, with the CPM (cost per thousand impressions) ranging between $3.27 and $36.72.

Advertisement. Scroll to continue reading.

If these figures are accurate, the financial damage caused by Methbot is far greater than in the case of other botnets, such as ZeroAccess ($900,000 per day), Chameleon ($200,000 per day), and Avalanche ($40,000 per day).

White Ops has shared a list of IP addresses, spoofed domains and URLs used by Methbot in an effort to help advertisers and technology providers block attacks.

Related: Impression Fraud Botnet Could Cost Advertisers Billions

Related: Kovter Trojan Fuels Spike in New Malware Variants

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.