Cyber firm says Russian 'Methbot' scam is defrauding digital advertisers

White Ops: Scam from Russia
White Ops: Scam from Russia

A cybersecurity firm says it has uncovered a massive online scam that employs an army of automated web browsers to siphon millions of dollars of advertising per day away from U.S. media companies and brand-name advertisers.

The firm, New York-based White Ops, has dubbed the operation "Methbot," because of references to meth buried in the computer code underlying the scam, and says it is the largest and most profitable fraud operation yet to strike digital advertising. The company says the scam, which it believes originated in Russia, is using a so-called bot net to fake views of as many as 300 million video ads per day and trick advertisers to pay for views that were never seen by humans.

With Russian government hacking dominating headlines around the world, White Ops CEO Michael Tiffany said this scam is probably not being run by the Kremlin even though it has enormous size and sophistication.

Sample of a Methbot Generated URL for video advertisement.

"We really see no signs of state sponsorship, it looks to us like this is really a private criminal group," Tiffany said. "They're just bada---s."

Tiffany said someone with a deep understanding of the industry is likely behind the scam. "This shows an incredible, absolutely insider's mastery of digital advertising," he said. "It requires multiple skills."

To be sure, the White Ops report is an allegation from a single cybersecurity firm and cannot be independently verified by CNBC. Confirmation of the allegation will depend on other security firms, possibly the U.S. government, and the online advertising industry itself. If true, the allegation means that there is significant fraud at the heart of the global online video industry.

A "bot net" is a network of computers infected with malicious code that is controlled by hackers for a purpose that can be unknown to the actual owners of the computers. They are frequently used by online scammers to ramp up the scale of a cyberattack and hide the perpetrators.

The company said the scam works because of the fragmented nature of the online advertising marketplace, in which buyers and sellers of advertising no longer know each other, or even communicate with one another. "At this point the Methbot operation has become so embedded in the layers of the advertising ecosystem [that] the only way to shut it down is to make the details public to help affected parties take action," White Ops said in a paper released Tuesday. Tiffany told CNBC he is optimistic that the scam, which has been ongoing at high volume for several months, could be stopped by a coordinated ad industry effort. "I think we're going to respond and take away their ability to profit in record time," he said.

By farming out the operations across a wide network, Methbot has been able to avoid some typical detection methods, White Ops said, adding that the scam "marks an innovation that transcends beyond traditional bot nets allowing Methbot to scale beyond anything the industry has seen before and placing it in a new class of bot fraud."

Here's how it allegedly works:

The online advertising market depends on an automated auction system in order to match media companies with advertisers. Advertisers hire a vast array of ad buyers to purchase advertising time on websites across the internet. That process has been automated through software exchanges that match buyers and sellers of online video, with hundreds of transactions taking place in fractions of seconds. It's that process itself that is being attacked: The Methbot group offers fake advertising inventory into the system, and then generates phony views of the ads in an effort to collect money from the unwitting ad buyers.

According to White Ops, the Methbot scammers were able to generate fake records of a user's activity online, making the bots appear to be human, even down to the level of detail of phony cursor movements and bogus social media login information. White Ops also says the Methbot operators used dedicated servers to run proxies so it would not be clear that all of this traffic was coming from one entity. And they used falsified documents to gain access to 571,904 real IP addresses, the company said, making it appear that the fraudulent ad traffic came from real Internet providers.

What's more, the fraudsters were able to fool the advertising exchanges by offering data specifically designed to slip past known fraud detection efforts. White Ops said the Methbot operators used code specifically designed to defeat viewability measurement for both specific vendors and for spoofing industry standard measurements.

White Ops calculated that the 200 million to 300 million fake impressions per day generated between $3 million and $5 million per day for whoever operated the scam. In an effort to combat the fraud, White Ops said that it will release known IP addresses affiliated with Methbot, so that advertisers and their agencies can block them. And the company says it will release a falsified domain name and full URL list to show where this phony activity has been taking place.

The company also said it has been in contact with federal law enforcement about the scam.

One industry group said it was scheduling a briefing for representatives of 100 companies on Tuesday, to provide them with the details in the White Ops report. "This is like our Superbowl," said Mike Zaneis, CEO of the Trustworthy Accountability Group, a non-profit coalition that works to combat digital ad fraud. "Unfortunately, with an issue like this, these things crop up all the time, so you have multiple Super Bowls because there are constant threats."

Zaneis said the advertising industry inadvertently opened the opportunity for cyber criminals as it moved to a fractured, anonymous and instant online exchange system that did not prioritize verification efforts. "You should know where your ads are going and who you're doing business with," Zaneis said. "We need to fix this problem, because an industry can't stand on the basis of fraud."

UPDATED: This story was updated to include comment from the CEO of the Trustworthy Accountability Group.