Methbot

Reported in December 2016 by New York-based digital advertising security company, White Ops, Methbot is a botnet that has been labeled the largest and most profitable fraud operation impacting digital advertising to date. Controlled by a Russian-based fraud ring and operating out of data centers located within the U.S. and Netherlands, White Ops reports that Methbot, named after the drug references in its code, generates $3 to $5 million in fraudulent advertising revenue per day. It conducts this operation by maintaining a network of over 570,000 IP addresses that were fraudulently acquired and falsely registered, allowing it to evade detection by datacenters. It uses a specially-crafted web browser, fake social media accounts, and even a mouse-click simulator to make it appear that an actual human is consuming the ad content. It also spoofs popular websites and fabricates inventory, requesting video advertisements from ad networks which robs legitimate sites from ad revenue. Researchers at White Ops determined that Methbot generates up to 300 million video advertisement impressions per day and it spoofed over 6,000 premium-level domain names, which attracted millions of dollars in advertising revenue. White Ops has partnered with the Trustworthy Accountability Group to help bring an end to Methbot and advises all advertisers, ad agencies, and technology providers to block IP addresses associated with Methbot in order to prevent ads from appearing on the botnet’s inventory.

Reporting and Technical Details

  • December 2016: Report: $3-5M in Ad Fraud Daily from ‘Methbot’ (Krebs on Security)
  • December 2016: The Methbot Operation (White Ops)
  • White Ops provides downloadable TXT files containing the full list of URLs, spoofed domains, compromised IP addresses and IP ranges on their website here.

White Ops provided an example of how Methbot faked a domain.