Russian Click Bots Swipe Millions from Top Video Advertisers

According to security researchers at the fraud-fighting firm, White Ops, cyber criminals in Russia have developed an army of automated web browsers, dubbed “Methbot”, that stole millions of dollars per day from the biggest advertisers on the web. The ring has been raking in $3 million to $5 million per day by the researchers’ estimates, a sum that is three times greater than the daily revenues generated by ZeroAccess, the next most profitable known advertising “botnet,” discovered in 2011.

Methbot consists of custom software running on servers in data centers in Dallas and Amsterdam. The operators took considerable measures to cloak this so-called bot farm. To fool fraud detectors and blacklists, the scammers acquired some 600,000 legitimate-seeming IP addresses. The hackers did so by compromising two out of the five of the world’s regional Internet registries, organizations across the globe that assign IP addresses.

The gang then registered these IP addresses to real Internet service providers, including Verizon , Comcast , and Spectrum, to make it seem as though they were regular Internet users. Next, they commanded their masked bots to generate 200 million to 300 million bogus impressions per day on premium video ads. While advertisers thought they were advertising on real websites, they were in fact buying counterfeit ad inventory on facsimile sites visited by bots. The researchers report that the scam affected more than 6,000 top publishers’ websites, including the Huffington Post, The Economist, ESPN, Vogue, CBS Sports, Fox News, even Fortune.

White Ops, which has taken steps to block the attack for its customers, decided to release information about the scam so that publishers, advertisers, ad networks, and others could determine whether they had been affected and to halt the operation. The company said it recommends blocking the IP addresses and URLs associated with the fraudsters (see the website for more details).

Geir Magnusson Jr., the former chief technology officer of AppNexus, one of the world’s biggest online ad exchanges, told Fortune Magazine in an email that “this is the most sophisticated [ad fraud scheme] I’ve seen. The techniques used are very smart, designed to elegantly fool anti-fraud systems.”

AVID Helps Protect You From Bot Traffic

One of the new features that AVID has released in the past couple of months can actually help to protect you from commonly used methods of click fraud. It takes a little bit more set up, but will alert you quickly if the sources you’re buying traffic from are sending you bot traffic. There are two targeting criteria you can use to set up an ad group that will act as a click fraud net. Here are the steps to set it up.

  1. Create a new ad group, call it “Click Fraud” or something similar to help you identify the traffic being directed to this ad group.
  2. Create a default ad in the “Click Fraud” ad group.
  3. Edit the “Click Fraud” ad group and add targeting for Target IP Type>>Data Center/Web Hosting/Transit
  4. Add a new profile to also target for Target IP Type>>Search Engine Spider
  5. Add a third profile to target for Proxy IP Address
  6. In your default ad group ad targeting for the inverse condition of the three conditions from the previous three steps. Make sure that they are all in the same profile.

You are now ready to monitor your AVID placements for bot traffic. Bots will appear as impressions and clicks in your “Click Fraud” ad group. You can also use the custom reports section in AVID to pull an IP click report that will give you the IP addresses of the clicks going to your “Click Fraud” ad group. You can add these IP addresses to your IP/Domain Blacklist in AVID.

To learn more, contact us directly at 1 (800) 720-7106 or contact