Online Security: Fraud detection firm outs $1b Russian ad-fraud gang and its robo-browsing Methbot
A $1 billion Russia-based criminal gang has been bilking online advertisers by impersonating high-profile Web sites like ESPN, Vogue, CBS Sports, Fox News and the Huffington Post and selling phony ad slots, but that’s about to end.Online fraud-prevention firm White Ops is releasing data today that will enable online advertisers and ad marketplaces to block the efforts of the group, which is cashing in on its intimate knowledge of the automated infrastructure that controls the buying and selling of video ads.
The group has been ramping up its activities since October so that it now reaps roughly $3 million to $5 million per day from unsuspecting advertisers and gives them nothing in return, says White Ops, which discovered the first hints of the scam in September.
When someone clicks on a video that’s posted to a Web page, the video is often preceded by a short advertising video known as pre-roll. The pre-roll slot is sold realtime – within 100 milliseconds – via an automated auction. That click to request the video is what initiates the ad auction, and the browser directly receives the pre-roll from the advertiser that wins, says White Ops CEO Michael Tiffany.
The system relies on information provided by the browser to verify what site the browser user is visiting and that it actually receives the pre-roll ad. “The ecosystem believes what the browser says about what site you’re at,” he says.
Beware Methobot
The gang, which Tiffany calls AFT13, has created a robo-browser called Methbot that spoofs all the necessary interactions needed to initiate, carry out and complete the ad transactions. So Methbot contacts an ad exchange and says it needs a pre-roll for a video on Vogue.com, for example. The system runs an instant auction, settles on an ad and sends it to Methbot, which verifies that it received it and played it.
Then the advertiser pays the entity the website that the browser claimed to be visiting, but that entity resolves ultimately to AFK13, not to Voguecom, in this example, he says.
Beyond this, AFK13 spoofs the geolocation of the IP addresses that the Methbot servers use so it seems they are all owned by U.S. internet service providers. The proxy IP addresses mask the fact that Methbot traffic is generated by servers as opposed to individual personal computers generating legitimate traffic. It also hides that the servers are located in data centers in Dallas and Amsterdam.
This helps Methbot duck detection mechanisms that look for a few IP addresses that generate enormous volumes of requests Tiffany says, enabling AFK13 to sell 200 million to 300 million false ad impressions per day for 1.3 cents per view on average, White Ops says. The fraud network does its work from an estimated 800 to 1,000 nodes in its data centers and operates 24 hours per day, with a sales cycle of 5 seconds per impression.
Methbot further avoids detection by selling the ads on more than 6,000 domains representing about 250,000 URLs.
To pull this all off, AFK13 has amassed an impressive infrastructure that includes:
• The servers that generate all the Methbot browser activity.
• A bank of 500,000 IPv4 addresses (worth about $4 million if sold on the open market).
• A means of registering those IP addresses so they appear to be allocated to U.S. ISPs.
• Methbot software.
The software has been upgraded over the period that White Ops became aware of it, Tiffany says. For example, White Ops first caught on to the scam when it noted a small error in an HTTP header used by the group. One value, known as Cache-Control, contained a colon, which violated the specification for that value. Since then the error has been corrected.
White Op has been blocking Methbot traffic for its customers, but the only way to stop it entirely is to release the list of URLs indicative of Methbot, the IP addresses used by AFK13 and the list of publisher domains it forges.
Tiffany says White Ops has also notified the FBI about the scam.