Advertising scams are nothing new - they’ve been around for as long as advertising itself, and just like it, it’s constantly evolving. The techniques used by fraudsters are becoming more sophisticated year by year, the technology used for fraud is more advanced, and the detection rate is lower. This doesn’t however mean that those responsible for advertising scams are always unpunished and their actions anonymous - fortunately, some ad frauds are being detected and liquidated, although such cases constitute a small percentage of all advertising frauds. Below we will briefly discuss the biggest known advertising frauds detected in 2012-2017.
Chameleon, one of the first identified click bot that mimicked user behavior, was first spotted by Spider.io. in December 2012. The botnet involved at least 120,000 Windows computers in the United States, and fraudulent clicks were generated on 202 websites belonging to a small group of publishers. The variety of themes was also taken care of to increase the reach of the scam. According to calculations, Chameleon cost display advertisers about USD 6 million per month.
The ZeroAccess Botnet is a Trojan horse malware that has reached over 2 million computers, generating approximately $100,000 in profits for fraudsters per day. The virus, after infecting the hardware, downloaded other malicious programs and applications to it. ZeroAccess was first mentioned in May 2011, but the first official report comes from Symantec in July 2013. This network security company discovered the famous Trojan when it discovered a vulnerability in its systems and reacted immediately by excluding from its network over half a million devices infected with this virus. Since December 2013, the case has been investigated by more organizations, such as the FBI and Microsoft (which, by the way, formed a whole coalition to fight this fraud), but this didn’t stop the scammers behind the ZeroAccess BOT from activating it again between March 21 and July 2, 2014 and again in January 2015.
Miuref is a Trojan that was discovered in November 2013 that facilitates click fraud (although this is just one of its possible malicious targets). Most often, it got to the device as an attachment in spam messages or as a file downloaded voluntarily from the Internet (when it pretends to be other programs or applications), and then installed on the device as a browser plug-in and launched when it was used.
Miuref, also known as Boaxxe, is more than a click bot - it has often been used in conjunction with other botnets. It was able to monitor browser activity, display pop-up ads, redirect users to potentially malicious websites while using a search engine, and even lead to a violation of user privacy. Although it has been identified and can be removed by proper antivirus software, it is still a serious problem.
Kovter was first used in 2013 as police ransomware that installed itself on a device and activated when the user downloaded illegal files. In such situations, the program informed the user about illegal activity and called for the payment of a „fine”. Interestingly, in some later variants of this type of software used by fraudsters, this virtual mandate was replaced with a ransom demand.
A year later, in 2014, the first reports of Kovter being used for advertising fraud appeared. The program continued to observe users’ Internet traffic, but used the knowledge gained in this way to carry out online advertising scams. Its operation consisted in infecting a given device and then injecting it with a special code that made it possible to find and steal certain information and transfer it to the scammers’ servers. The malware in its various guises has been (and still is) used in ad click scams, scareware and data exfiltration.
In September 2015, cybersecurity firm White Ops (now HUMAN) began tracking unique bot traffic passing through their client’s network. The ad fraud known as Methbot, named because the fake browser used by the scammers was called „methbrowser”, originated in Russia (although it wasn’t affiliated with the State authorities in any way) and was extremely complex and planned down to the smallest detail.
A criminal group dubbed Ad Fraud Komanda or „AFK13” acquired 571,904 dedicated IP addresses, created 6,000 dummy domains and 250,267 distinct URLs, and used variant names of well-known publishers to impersonate them. Thanks to thorough analysis, the fraudsters were able to fool the algorithms that decided where the most profitable ads would go and programmed everything to prefer their advertising space. Ultimately, over half a million bots imitated human behavior, generating up to 300 million video ad views per day on scam websites, which was equivalent to revenues of three to five million dollars a day. Interestingly, in this fraud, the Botnet used not telephones or other devices - but about 1,000 real data servers located in Dallas, Texas and Amsterdam.
Among the victims of Methbot are brands such as The New York Times, The New York Post, Comcast and Nestle, and the damage to the advertising industry caused by it is estimated at between $180 million and as much as $1 billion. At the end of 2021, one of the members of the „AFK13” group - Aleksandr Zhukov was sentenced to 10 years in prison, and he was ordered to pay over $3.8 million in restitution for his actions. We wrote more about this Ad Fraud in 2020 in the text - Methbot - the new face of BOT farms.
HummingBad is a malicious virus that installs a rootkit on infected hardware and allows crooks to take control of it.
It is enough for the user to download and open it, and the fraudsters behind it will be able not only to install additional programs and applications, but also to intercept all data on what is entered into the device. However, from what is known about HummingBad, it was primarily used to generate fraudulent clicks on mobile and online advertisements, which allowed for huge revenues - up to $300,000 per month and around $4 million per year. Users of virus-infected devices weren’t only forced to click on ads, but the program also made it difficult to close them, which resulted in an extremely high click-through rate - 12.5%.
Check Point analysts have determined that 10 million Android devices have been infected worldwide. Although HummingBad was detected and shut down in 2016, a year later it returned in a new guise as HummingWhale, infecting over 20 apps in the Google Play store. The program was allegedly created by the Chinese advertising company YingMob.
3ve (Ewa) - a new version of Methbot
In 2017, a group of fraudsters consisting largely of the team behind Methbot invented fraud 3ve, which used already known bots such as Kovter and Miuref to gain access to almost 2 million infected computers. However, the new fraud was more advanced - the program created complex URLs from outdated ads.txt lists and thanks to this it could work despite the use of this standard. 3ve was also able to get even more video views - it is estimated that the scammers behind it made $29 million before it was discovered and shut down.
Chamois is a type of mountain goat known for its hardiness, adaptability and the way it is able to find food in the most hostile of places. Therefore, it was the perfect name (given by Google) for the many related malware types found in thousands of apps, some of which ended up on the Google Play Store.
Chamois has been classified by Google as an Android PHA (Potentially Harmful Applications), which allows scammers to generate invalid traffic through pop-up ads, automatically install apps in the background, and even scam phone calls by sending premium text messages.
Eventually, Google got rid of the most harmful applications affected by Chamois and described the ad fraud (and the fight against it) on its blog in March 2017.
In the same year, another ad clicker learned to use the ads.txt standard - it was HyphBot, considered more than 3 times bigger than Methbot. According to analysts, it infected at least 500,000 computers in the US, UK, the Netherlands and Canada, generating revenue for fraudsters of between $500,000 and almost $1.2 million a day. Using a network of already known botnets and lists of websites in the ads.txt file, the scammers behind HyphBot created over 34,000 different domain names and over a million different URLs to pretend to be human traffic to deceive advertisers mainly in generating fake video ad views. It looked as if their ads were running on premium sites like Forbes and The Economist, when in fact the sites were just pretending to be known domains.
HyphBot was discovered by Adform around September 2017.
Pixalate, a fraud protection, privacy and compliance analytics platform for Connected TV (CTV), mobile apps and websites, noticed invalid traffic from reputable sites in October 2014. The botnet discovered in this way infected computers and used them to generate fake impressions, and exploited vulnerabilities in OpenRTB to help cybercriminals carry out advertising scams.
This was possible thanks to the combination of many techniques, such as data downloading, the use of other known malware and phishing attacks. Xindi is estimated to have joined to its botnet between 6 and 8 million computers located in more than 5,000 organizations, including Fortune 500 companies, 1,500 universities, and more than 200 financial and government institutions.
Xindi was estimated to have cost advertisers at least $3 billion by the end of 2016, and the list of advertisers targeted includes Home Depot, Uber, McDonald’s, Honda, Verizon, Monster and Nissan. It remains to be determined how Xindi managed to control the IP addresses of these well-known companies. According to Pixalate, this ad scam is responsible for generating nearly 78 billion views.
Interestingly, the name Pixalate gave this malicious program - „Xindi” - comes from the Star Trek alien race that evolved into five subspecies and formed an alliance.
Cybersecurity provider Confiant has revealed an extremely elaborate Ad Fraud which it calls Zirconium. In 2017, Zirconium was the biggest focus of malicious ads, it used a technique known as forced redirect, which is used to send the Internet user to a different site than the one they are on, but this is just the beginning - its creators had much bigger plans! They created a fake advertising agency called Beginads, and even a quite successful affiliate network MyAdsBro. To support the course of the scam, fake LinkedIn and social media profiles were also created, which were used to establish contacts, create an image and promote advertisements.
Zirconium also established relationships with landing page owners (traffic was bought from them and then resold to affiliated platforms) and cooperated with as many as 28 advertising agencies, and because each of them bought smaller amounts of traffic, the fraud could stay hidden longer, generating about 1 billion annually views.