Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



Cybercriminals Make Millions With Ad Fraud Bot Farm

Russian cybercriminals can earn up to $5 million per day through a massive ad fraud operation powered by a bot farm that uses hundreds of servers and more than 500,000 IP addresses, online fraud detection firm White Ops reported on Tuesday.

Russian cybercriminals can earn up to $5 million per day through a massive ad fraud operation powered by a bot farm that uses hundreds of servers and more than 500,000 IP addresses, online fraud detection firm White Ops reported on Tuesday.

Ad fraud typically involves malware-infected computers that cybercriminals abuse to generate fake advertising traffic. However, in the campaign observed by White Ops over the past three months, dubbed Methbot, the scammers created their own “users.”

The cybercrooks rely on 800-1,200 servers housed by data centers located in Dallas and Amsterdam, and more than 570,000 IPv4 addresses made to look as if they belong to residential ISPs in the United States. The value of these IP addresses has been estimated at more than $4 million.

Methbot uses Node.js and various open source libraries to simulate a web browser. In order to avoid being flagged by bot detection systems, it spoofs user agent strings for various browsers and operating systems, including Chrome, Firefox, Internet Explorer, Windows and Mac OS X.

Furthermore, the bot farm is capable of emulating browser windows, mouse cursor movements, clicks and even social media logins in an effort to convince advertisers that the traffic is generated by real people.

In the first phase of the operation, Methbot selects a domain or a URL from a list of premium publishers. A fake webpage that contains only the elements needed to support an ad is generated and a video advertisement is requested from an ad network using a spoofed URL matching the one of the publisher. The ad is loaded in the simulated browser through a proxy and the various human-mimicking mechanisms are enabled to trick anti-fraud systems into believing that the activity is the result of real user interaction.

Researchers said the attackers spoofed the domains of more than 6,000 publishers, including companies such as Vogue, The Economist, ESPN, Fortune, Fox News and International Business Times.

Methbot bot farm

By targeting premium video ads and making it appear as if the ad has been accessed from a high-value geographical location, the cybercriminals behind Methbot can earn between $3 million and $5 million per day, White Ops determined after consulting programmatic media intelligence firm AD/FIN. Experts said Methbot generates 200 – 300 million fake impressions every day, with the CPM (cost per thousand impressions) ranging between $3.27 and $36.72.

If these figures are accurate, the financial damage caused by Methbot is far greater than in the case of other botnets, such as ZeroAccess ($900,000 per day), Chameleon ($200,000 per day), and Avalanche ($40,000 per day).

White Ops has shared a list of IP addresses, spoofed domains and URLs used by Methbot in an effort to help advertisers and technology providers block attacks.

Related: Impression Fraud Botnet Could Cost Advertisers Billions

Related: Kovter Trojan Fuels Spike in New Malware Variants

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.