Cyber Security

Russian Gang Stealing Millions A Day With Fake Clicks, Say Researchers

Meet Methbot, the largest scam for online ad views ever seen

Cyber Security
Photo Illustration: R. A. Di Ieso
Dec 21, 2016 at 10:41 AM ET

Researchers have uncovered a massive, intricate scam they say defrauds the online advertising industry out of $3 million to $5 million a day.

The scam, by far the largest of its kind ever uncovered, exploits the complicated relationship between websites that create content for users, legitimate advertisers that pay to show ads to those sites’ visitors and the system of middlemen that connects the two.

It’s called “Methbot,” so named because the researchers who discovered it, from the online security company WhiteOps, found the word “meth” repeated in the code used to power the scam. Its creators are unknown, save that the company is confident the criminal gang behind it is based in Russia.

Methbot relies on a botnet, an army of hacked computers — or in this case, extremely detailed faked programs, which come from rented data centers — each of which is programmed to enact the will of their hacker on a grand scale. Its hundreds of thousands of faked “users” are programmed to be extremely sophisticated in mimicking real people, even using faked mouse movements and login with faked social media credentials to avoid automated detection.

Ad networks value certain targeted demographics more than others, and assume demographic information about a person based on information stored in their Internet browser cookies. Methbot’s “users” often mimic personalities deemed more valuable to advertisers so that they would pay more, the study said.

Methbot’s creators have built a sort of parallel Internet, recreating their own versions of  6,111 domains, most of which are content creating sites. They range from large news sites, like, to smaller ones, like Australia’s Warwick Daily News, but also include entertainment sites like Daily Puppy, World Star Hip Hop, and the Game of Thrones fan site Watchers on the Wall.

The scam then relies on how the online ad industry and the Interactive Advertising Bureau — the trade association that sets the norms for much of that industry — automate the process of counting how people view advertisements. Methbot’s fake pages often repost original videos from those content creating sites, and program them to follow IAB’s Video Ad Serving Template, which automatically connects a site’s owners with a middleman ad network, which in turn charges advertisers for views.

WhiteOps estimated Methbot fakes 200-300 million video views a day. The company has released a list of what it says are known Methbot IP addresses, which the researchers recommend all advertisers block immediately.

It’s unclear how Methbot’s creators laundered their apparent fortune from the operation. The company told the New York Times it had contacted both affected companies and U.S. law enforcement.