Methbot: I Am the Danger
In the last couple of decades, law enforcement and intelligence agencies have been quite successful in disrupting various terrorist and organized crime groups by going after their financing. That’s one of the key methods the U.S. government used in attacking al Qaeda after 9/11 and the FBI and DEA have employed the same strategy for years in narcotics investigations. Now we’re beginning to see the same strategy applied to anti-cybercrime operations.
This week, researchers at White Ops revealed the details of a massive, highly distributed, and highly successful ad fraud operation that has been using a custom-made infrastructure to generate as much as $5 million in stolen revenue per day. The network, known as Methbot, is not your typical botnet. Rather than using compromised home PCs, Methbot uses dedicated servers in data centers and an arsenal of hundreds of thousands of forged IP addresses around the world. Ingenious in design and execution, the network has the ability to impersonate premium media sites as well as visitors in order to fake views of video ads and steal ad revenue that should be going to the legitimate sites.
The scope and scale of the Methbot operation is staggering. Using nearly 600,000 forged IP addresses that are used to impersonate real visitors, the network generates as many as 300 million fake views of video ads each day, the researchers said. The ads appear on domains that the Methbot operators spoof, enabling them to funnel the stolen ad revenue to themselves rather than the media sites. The group has spoofed more than 6,000 URLs, including some belonging to ESPN, Vogue, and other high-profile media companies. This scheme allows the Methbot operators to pull in between $3 million and $5 million a day.
“To avoid detection, the group developed and cultivated an array of infrastructure dedicated to the Methbot ad fraud operation. Instead of the more traditional malware botnet structures, which involve attacks on existing IP addresses and piggybacking on residential computers, Methbot operators farm out their operations across a distributed network based on a custom browser engine running out of data centers on IP addresses acquired with forged registration data,” the White Ops report says.
“Using these forged IP registrations has allowed the Methbot operation to evade typical datacenter detection methodology. This marks an innovation that transcends beyond traditional botnets, allowing Methbot to scale beyond anything the industry has seen before and placing it in a new class of bot fraud.”
The Methbot operation is a relatively new one. It began ramping up at the beginning of October and has been running at high speed ever since. Even at the lower end of White Ops’ estimates, the group has likely pulled in more than $200 million in that time. That’s an insane amount of money. And it’s money that’s likely being used to fund many other kinds of cybercrime operations. Ad fraud has become one of the main avenues for cybercrime gangs to make money, and White Ops CEO Michael Tiffany told me in a podcast this week that revenue usually is then funneled directly back into other criminal enterprises.
And that’s one of the major reasons the company decided to expose the Methbot network. Because of the time and effort it took to develop and set up the network’s infrastructure, a takedown of Methbot likely will cripple the operation in a way that other botnet or cybercrime takedowns sometimes can’t. It will not be easy to replicate the Methbot network, Tiffany said, and shutting off that huge money faucet could have a major effect on other cybercrime operations. Exposing Methbot also will give researchers at other security firms the ability to go back and look at their own data and check whether they’ve seen a piece of the network’s operation at some point.
Ad fraud is a key piece of the cybercrime landscape and the exposure of Methbot is an encouraging sign in the fight against it."Heisenberg" image property of AMC/Breaking Bad.