Methbot is essentially a network of computers located in data centers, with the sole purpose to watch video ads fraudulently, in an effort to be paid for ads that were never actually served up to people, but bots. It is believed that the operation is controlled by a group out of Russia, and uses computer networks in data centers in several part sof the world, but primarily in the US and Netherlands. The exact extent of the operation is still unknown, but it’s believed that the network is so vast and extensive, that it’s capable of generating upwards of $3 million to $5 million per day.
This operation is potentially one of the largest and most lucrative ever devised. It still so new, that data is being gathered on how exactly it is setup and how exactly it is evading the complex fraud detection on large advertising networks and publishers, but it’s believed to be a complex network of computers, across many different locations and IP addresses, designed to appear to detection software, as simply ordinary people watching video ads. The list of known IP addresses associated in this network is still in it’s infancy, and publishers are scrambling to get their hands on IP addresses in order to plug the holes. With advertising networks hemorrhaging $5 million per day, this is a devastating blow to the digital advertising market.
Believed by many to be the first of it’s kind, Methbot derives it’s nickname from references to ‘meth’ in the complicated code base. Many online security companies are struggling to put together defensive strategies, but short of pausing ad campaigns, there is nothing at the moment that can ensure you are not paying for ads that are not being seen by your target audience.
What is Methbot?
Methbot is an army of computers, mostly networked together. They are internet browsers to intentionally watch videos that are being paid for by advertisers, on websites that essentially don’t exist. It is believed that over 6,000 premium domain names were targeted, then cloned, and made to serve up video ads. These ads were never seen by people, but ‘watched’ by bots. These bots (‘bot’ is a nickname for small programs that are designed for simple functions, like a robot), are tricking the system into thinking they are an actual set of human eyeballs. The bots then trigger the videos, let them play, and the account collects a small fee for having served up the video ad content as normal.
Making things more complex, is the fact they the networks are more specifically targeting ads with higher cost per impressions. These are thought to range from $5 to over $35, with an average CPM of around $15. With around 300 million video ad impressions possibly being generated on a daily basis, it’s easy to see just how lucrative this network can be.
The network has also spoofed around 250,000 URL’s, and made them look like they are in the advertising network. With over 1,000 different dedicated servers, it is going to be extremely difficult to pinpoint origins, and especially tedious to do anything to stop them. Even if the IP addresses become known, it’s not extremely difficult or time consuming to use new URL’s, new servers or new IP addresses. This is a new system, with unprecendented levels of reach. There have been other similar network attacks, but nothing to this degree. While most of the other attacks have relied primarily on malware to ‘infect’ other vulnerable computers to do their bidding, this is thought to be the first ‘bot farm’ whose sole purpose is serving up video content and simultaneously watching it. A more traditional approach involves malware, which simply uses existing residential and private computers to unknowingly become involved, and watch the video ads, giving false impressions so phony advertisers can collect. Methbot is thought to use a custom browser engine to engage video ad content across a massive network of fake IP addresses.
By using this new method, it has allowed Methbot to scale operations almost unchecked.
This new system has been specifically engineered to appear human, manipulate geolocation and traditional IP information and evade counter-detection behaviors.
How to avoid Methbot?
Avoiding Methbot is no small feat. As of now, there is no known method of completely avoiding it’s reach. One of the more genius aspects is that it’s essentially taking small amounts of money from a large amoutn of people, so the effects on the individual can be mostly unnoticed. That compounds the problem because there aren’t enough affected people to really put the resources together to launch a counter measure. And the amount of advertisers and publishers spending enough to be greatly affected aren’t numerous enough to have gained mainstream momentum.
There are several organizations working feverishly to stop Methbot. Perhaps at the forfront is WhiteOps. Their aim is to better understand the methodology and bring to light the network of IP’s and URL’s known to be involved.
As more and more people become aware of the situation and involved in solutions, Methbot will most likely become a catalyst for improved preventative measure in false digital advertising. Until then, we wait.