A sophisticated group of Russian cybercriminals has been siphoning millions of dollars in online advertising dollars per day from US media companies and the largest US brand name advertisers for at least the past few months.

"This is the most profitable botnet advertising fraud operation discovered to date," said Tamer Hassan, CTO of White Ops, the company that discovered the network.

The nature of the fraud was simple but deadly for legitimate players: the botnet pretended to be major media publishing companies — the top 6,000 most popular websites including the Huffington Post, Economist, Fortune, ESPN, Vogue, CBS Sports and Fox News — selling ad slots to major brand names. 

To illustrate,  an advertiser might think it was placing an ad on, say, the New York Times website. Instead the ad was placed on a fake New York Times site generated by the hackers using technology that was able to trick the ad marketplace into thinking the bot farm's inventory came from the real New York Times.  

Then the hackers pocketed the revenue the Times should have earned on its ad inventory.

The cost to legitimate advertisers was enormous. According to White Ops’ calculations, it averaged about $3 million to $5 million a day. This far exceeds the financial damages of other advertising botnets, such as ZeroAccess, which is thought to have collected as much as $900,000 per day and Chameleon Botnet, which is believed to have siphoned off up to $200,000 per day.

High Profit, Low Risk

It makes sense that this group, which White Ops has dubbed AFK13 (Ad Fraud Komanda 13, komanda being the transliteration of a Russian word for "team" or "crew") decided to focus its technical expertise on advertising, Hassan adds.

"It is a category that is very high profit and very low risk," Hassan told CMSWire.

The online advertising market has been beset with fraudsters for years. Indeed, according to an estimate earlier this year from the Association of National Advertisers, advertisers are expected to lose $7.2 billion globally to bots this year.

Interestingly the study, which was conducted with White Ops, also concluded that fraud levels are relatively unchanged compared to the results of a similar study conducted a year ago. The difference is that while bot volumes have remained steady, it is digital spend that has increased, leading to the increase in estimated global losses to ad fraud.

"The level of criminal, non-human traffic literally robbing marketers’ brand-building investments is a travesty," said ANA CEO Bob Liodice said when the study was released.

White Ops' newest discovery about ad bot fraud, though, suggests another factor is now at play: the growing sophistication of fraud is also facilitating the loss of revenue dollars.

How It Began

Learning Opportunities

In September 2015 White Ops noted noticed a small amount of automated web traffic featuring a unique bot signature that was blocked, quarantined and monitored, but otherwise rudimentary.

Nearly a year later, though, in October 2016, the activity suddenly morphed into a more advanced operation that White Ops began calling Methbot. It was scaling up rapidly and by the end of the month it had matured into a full-scale bot farm run using proxies with dedicated blackhat IP allocations.

What is unique about Methbot is that it is running out of US data centers -- namely about 1,000 servers using about half a million IP addresses spread across two data centers. Tanner declined to say who owned the data centers.

"This is brand new territory for ad fraud," he says. "It is a not a residential operational relying on individuals’ infected computers. Those resources are fragile -- you never known when the infection will be discovered or when the computer will be plugged in."

White Ops began working with law enforcement to bring down the network and then went public with the information to shutdown the operation completely. Given how it was able to burrow its way into the data centers' infrastructure, going public was the only way to make sure the botnet would be taken out, Hassan said.

Very Sophisticated Tech

The fraud included many moving parts of highly-sophisticated tech, he said.

The half a million unique IP addresses, for example, were camouflaging the traffic to seem legitimate by falsifying IP registrations to impersonate large ISPs including Verizon, Comcast, AT&T, Cox, CenturyLink, TWC and others.

AFK13 was also feeding false information to geolocation information providers and spoofing the data collected by viewability measurement providers, including video time watched and engagement actions like mouse movements. Finally, it was also forging data analyzed by fraud detection providers, including faking social network logins.