Methbot - the new face of BOT farms
source: own elaboration
In September 2015, experts employed by White Ops, a company specializing in cybersecurity, began to monitor small amounts of automated traffic with a unique signature operatively named "C3". As it turned out in 2016, the innovative BOT farm named Methbot robbed advertisers of between 3 and 5 million a day, becoming the most profitable known online fraud in the history of internet marketing.
How Methbot was discovered
It was September 2015 when a team of researchers from White Ops, on the occasion of their routine analysis, noticed a small amount of automated traffic on their clients' websites. Experts were interested in the fact that BOTs used for this purpose left a unique signature. The traffic generated by these sources has since been constantly monitored, and the signature visible in it has been operatively referred to as "C3". The current name Methbot was also created because of references to "met" in its source code.
For almost a year, the source didn’t show much activity and didn’t significantly affect the online activities of customers using White Ops services. Everything changed, however, on October 5, 2016, when much larger volumes of traffic with the signature "C3" began to appear. Already at the end of that week, the source generated up to 137 million impressions per day. The activities of this innovative BOT farm spread very quickly - by the end of October White Ops detected its activity in 32 of its various clients.
How Methbot worked
Usually online frauds are fairly simple to detect - they are often based on the action of malicious software that infects private devices and thus function on the same IP addresses as users. Created from many devices taken over in this way, BOTnet carries out its dishonest activities in the background of the activities of real Internet users. Due to the fact that the IP addresses used by such fraudsters are permanent, they can easily be traced and blocked, and increasing the range of fraud requires the infection of further equipment. However, the creators of Methbot conducted thorough research and invested a lot of time and resources to build infrastructure that gave them the opportunity to operate on an almost unlimited scale.
The people behind the uprising of Methbot used fake documents to buy or lease 852 992 real IP addresses (worth more than $ 4 million, as estimated), so that the traffic generated seemed to come from legitimate Internet providers.
The heart of Methbot were 800 to 1200 real data servers located in Dallas, Texas and Amsterdam, used to create intermediary servers and hide the true source of operations that was located in Russia. In addition, to avoid identification, the source with the signature "C3" changed its codes every day, adjusting them and making the fraud it more difficult to track down.
Who and how did Methbot impersonate?
The scammers using Methbot were well aware that both premium publishers and final recipients corresponding to the target group are very desired by advertisers. The BOTs he used impersonated both top publishers (creating fake websites referring to other well-functioning ones) and consumers whose activities they allegedly generated (by artificially playing advertising films, advertising displays and creating the illusion that they came from people).
The developers of Methbot chose a domain or URL from the list of top publishers, and set up their own fake websites using variants of known domain names. The artificial websites created this way contained only what was needed to handle the advertisement. The scammers then downloaded from affiliate networks, affiliate programs, or advertisers themselves video ads prepared for them containing their publisher ID so that they could be paid for "generated" traffic. Of course, the partners had no idea that the huge number of clicks and impressions provided by these fake domains were false. It is estimated that Methbot used 6111 domains that were supposed to look like those of actual existing premium publishers, with a total of over 250,000 URL addresses.
Impersonation of known websites was only the beginning - BOTs used by Methbot also pretended to be final users. Also, in this area, very advanced technology was used to imitate human actions - BOTs imitated mouse movements to make them look man-made, created artificial logins to social networks and manipulated geolocation of IP addresses. In addition, to make consumers seemingly "playing" their ads seem more attractive for advertisers Methbot operators stuffed crafted cookies into fake internet sessions by using a open source library.
Estimated financial losses
It wasn't accident that Methbot focused on video advertising - on premium sites they achieve one of the highest rates in online marketing. As shown by the data provided by White Ops, after consulting with the AD / FIN company, thanks to the cunning of the creators, the innovative BOT farm also achieved very high CPM (Cost Per Mile) prices, i.e. fees for 1000 ad views. In various domains crafted by Methbot, it ranged from $3.27 to $36.72, with an average of $13.04. In October 2016, fraudsters produced between 200 - 300 million page views per day, earning $ 3 to $ 5 million in one day at its peak. This makes Methbot an absolute record holder in terms of losses brought to the online advertising industry.
It is estimated that Methbot operators - named Ad Fraud Komanda (or AFK13)- have caused losses in the online marketing industry from 180 million to even 1 billion USD. However, this is certainly only a partial picture of the situation because White Ops analyzed the data directly shared with it by customers using its services. It is very likely that these numbers are significantly underestimated.