A group of Russian criminals are making between $3 million and $5 million every day in a brazen attack on the advertising market, security firm White Ops claimed today. It’s the biggest digital ad fraud ever uncovered and perpetrated by faking clicks on video ads, the company said.
The crew, which White Ops dubbed Ad Fraud Komanda or “AFK13”, planned their machinations in meticulous detail. First, they created more than 6,000 domains and 250,267 distinct URLs within those that appeared to belong to real big-name publishers, from ESPN to Vogue. But all that could be hosted on the page was a video ad.
With faked domain registrations, they were able to trick algorithms that decided where the most profitable ads would go into buying their fraudulent web space. Those algorithms typically make bids for ad space most suitable for the advertisement’s intended audience, with the auction complete in milliseconds. But AFK13 were able to game the system so their space was purchased over big-name brands.
AFK13 then invested heavily in a bot farm, taking up space in data centers so they could fire faked traffic from more than 570,000 bots at those ads, thereby driving revenue thanks to the pay per click system they exploited. As part of what White Ops called the Methbot campaign, those bots “watched” as many as 300 million video ads a day, with an average of $13.04 per faked view. And the fraudsters had their bot army replicate the actions of real people, with faked clicks, mouse movements and social network login information.
White Ops Methbot ad fraud fake domain
White Ops provided an example of how Methbot faked a domain.
Some serious technical effort went into the illegal campaign too, as the crew’s hackers reverse engineered ad-quality verification processes and determined how to pass off the impressions as legitimate, according to a white paper released today by White Ops.
To make those bots appear more real, and thereby bypass normal anti-fraud detection measures, the group obtained hundreds of thousands of IP addresses and associated them with major U.S. internet providers so it looked like they were based in American homes. Those IP addresses were “fraudently obtained” from at least two of the world’s five regional Internet registries.
White Ops began tracking the activity back in September 2015, when it saw unique bot traffic passing over a customer’s network. It wasn’t until October 2016 that Methbot went into full swing, however.
It’s unclear where the Russian link comes from. Eddie Schwartz, chief operating officer at White Ops, told me the company found links between the data centers and the “unique signals” used by the hackers. He couldn’t provide more details for fear of revealing too much about White Ops’ methods. Nevertheless, he claimed to have “direct attribution” for those behind the crime.
“We have zero doubt this is a group based in Russia, it’s a single group. We’ve actually been working with federal law enforcement for weeks now,” Schwartz added.
Ad buyers losing big time
Those spending money on the automated systems are losing significant sums, not just from Methbot but from other similar campaigns. Those funds might never be retrieved, however. “That’s part of the challenge,” Schwartz added, noting that where prosecutions have been possible in Western nations, money has been recovered. “Historically… it’s been challenging to get cooperation with Russia to prosecute cyber-related crimes.”
White Ops said it had provided the information to law enforcement, which was investigating. It didn’t say which agency. Geir Magnusson, an ad fraud expert and CTO at Sourcepoint Technologies, said it should be possible to shut AFK13 out of the ad market.
“All actors in a bidding ecosystem are known and have contractual business relationships – this isn’t a ‘dark web’ of anonymous buyers and sellers,” added Magnusson, who reviewed White Ops’ findings prior to publication.
“I think the key will be ensuring that information like what White Ops has found gets broadly disseminated, and that the actors in the ecosystem work closely to help each other ‘follow the money’ and enforce the shunning of bad actors.”
Worryingly, the fraud could be even bigger than reported today. “Because White Ops is only able to analyze data directly observed by White Ops, the total ongoing monetary losses within the greater advertising ecosystem may be exponentially greater,” the company wrote in its white paper. “At this point the Methbot operation has become so embedded in the layers of the advertising ecosystem, the only way to shut it down is to make the details public to help affected parties take action.”
With today’s release, it’s hoped the industry will collaborate to shut Methbot down.