nettime's failing bot net on Thu, 22 Dec 2016 14:24:24 +0100 (CET)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> Ad Fraud: $5M A Day By Faking 300M Video Views

[looks like the most promising digital business model in years.]

'Biggest Ad Fraud Ever': Hackers Make $5M A Day By Faking 300M Video Views

Thomas Fox-Brewster

A group of Russian criminals are making between $3 million and $5
million every day in a brazen attack on the advertising market, security
firm White Ops claimed today. It's the biggest digital ad fraud ever
uncovered and perpetrated by faking clicks on video ads, the company said.

The crew, which White Ops dubbed Ad Fraud Komanda or "AFK13", planned
their machinations in meticulous detail. First, they created more than
6,000 domains and 250,267 distinct URLs within those that appeared to
belong to real big-name publishers, from ESPN to Vogue. But all that
could be hosted on the page was a video ad.

With faked domain registrations, they were able to trick algorithms that
decided where the most profitable ads would go into buying their
fraudulent web space. Those algorithms typically make bids for ad space
most suitable for the advertisement's intended audience, with the
auction complete in milliseconds. But AFK13 were able to game the system
so their space was purchased over big-name brands.

AFK13 then invested heavily in a bot farm, taking up space in data
centers so they could fire faked traffic from more than 570,000 bots at
those ads, thereby driving revenue thanks to the pay per click system
they exploited. As part of what White Ops called the Methbot campaign,
those bots "watched" as many as 300 million video ads a day, with an
average payout of $13.04 per thousand faked views. And the fraudsters
had their bot army replicate the actions of real people, with faked
clicks, mouse movements and social network login information.
White Ops Methbot ad fraud fake domain

Some serious technical effort went into the illegal campaign too, as the
crew's hackers reverse engineered ad-quality verification processes and
determined how to pass off the impressions as legitimate, according to a
white paper released today by White Ops.

To make those bots appear more real, and thereby bypass normal
anti-fraud detection measures, the group obtained hundreds of thousands
of IP addresses and associated them with major U.S. internet providers
so it looked like they were based in American homes. Those IP addresses
were "fraudently obtained" from at least two of the world’s five
regional Internet registries.

White Ops began tracking the activity back in September 2015, when it
saw unique bot traffic passing over a customer's network. It wasn't
until October 2016 that Methbot went into full swing, however.

It's unclear where the Russian link comes from. Eddie Schwartz, chief
operating officer at White Ops, told me the company found links between
the data centers and the "unique signals" used by the hackers. He
couldn't provide more details for fear of revealing too much about White
Ops' methods. Nevertheless, he claimed to have "direct attribution" for
those behind the crime.

"We have zero doubt this is a group based in Russia, it's a single
group. We've actually been working with federal law enforcement for
weeks now," Schwartz added.

Ad buyers losing big time

Those spending money on the automated systems are losing significant
sums, not just from Methbot but from other similar campaigns. Those
funds might never be retrieved, however. "That’s part of the challenge,"
Schwartz added, noting that where prosecutions have been possible in
Western nations, money has been recovered. "Historically... it’s been
challenging to get cooperation with Russia to prosecute cyber-related

White Ops said it had provided the information to law enforcement, which
was investigating. It didn't say which agency. Geir Magnusson, an ad
fraud expert and CTO at Sourcepoint Technologies, said it should be
possible to shut AFK13 out of the ad market.

"All actors in a bidding ecosystem are known and have contractual
business relationships - this isn’t a 'dark web' of anonymous buyers and
sellers," added Magnusson, who reviewed White Ops' findings prior to

"I think the key will be ensuring that information like what White Ops
has found gets broadly disseminated, and that the actors in the
ecosystem work closely to help each other 'follow the money' and enforce
the shunning of bad actors."

Worryingly, the fraud could be even bigger than reported today. "Because
White Ops is only able to analyze data directly observed by White Ops,
the total ongoing monetary losses within the greater advertising
ecosystem may be exponentially greater," the company wrote in its white
paper. "At this point the Methbot operation has become so embedded in
the layers of the advertising ecosystem, the only way to shut it down is
to make the details public to help affected parties take action."

With today's release, it's hoped the industry will collaborate to shut
Methbot down.

#  distributed via <nettime>: no commercial use without permission
#  <nettime>  is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info:
#  archive: contact:
#  @nettime_bot tweets mail w/ sender unless #ANON is in Subject: