Researchers say that a Russian cyberforgery ring has created more than half a million fake internet users and 250,000 fake websites to trick advertisers into collectively paying as much as $5 million a day for video ads that are never watched.
SAN FRANCISCO — In a twist on the peddling of fake news to real people, researchers say that a Russian cyberforgery ring has created more than half a million fake internet users and 250,000 fake websites to trick advertisers into collectively paying as much as $5 million a day for video ads that are never watched.
The fraud, which began in September and is still going on, represents a new level of sophistication among criminals who seek to profit by using bots — computer programs that pretend to be people — to cheat advertisers.
“We think that nothing has approached this operation in terms of profitability,” said Michael Tiffany, a founder and the chief executive of White Ops, the ad-focused computer security firm that publicly disclosed the fraud in a report Tuesday. “Our adversaries are bringing whole new levels of innovation to ad fraud.”
The thieves impersonated more than 6,100 news and content publishers, stealing advertising revenue that marketers intended to run on those sites, White Ops said.
Most Read Nation & World Stories
- Norwegians spot Viking ship buried in the ground
- Key take-aways from special counsel Robert Mueller’s report
- Avenatti charged with trying to extort millions from Nike
- Witness describes death plunge of two Yosemite climbers
- Dutch art sleuth recovers Picasso stolen 20 years ago
The scheme exploited known flaws in digital advertising, including the lack of a consistent, reliable method for tracking ads and ensuring that they are shown to the promised audience.
The spoofed outlets include a who’s who of the web: video-laden sites like Fox News and CBS Sports, large news organizations like The New York Times and The Wall Street Journal, major content platforms like Facebook and Yahoo and niche sites like Allrecipes.com and AccuWeather. Although the main targets were in the United States, news organizations in other countries were also affected.
“It will be a big shock to all of these publishers that someone was selling inventory supposedly on their sites,” Tiffany said Monday, before the report’s release. White Ops and an advertising industry organization, the Trustworthy Accountability Group, held a conference call with about 170 advertisers, ad networks and content publishers Tuesday morning to brief them on their findings.
Tiffany said White Ops had traced the fraud to Russia and believed the organization behind it was a criminal enterprise out to make money. There was no evidence of a connection between the fraud and the politically motivated hacking during the United States election that U.S. intelligence agencies and President Obama have linked to the Russian government.
The Methbot scheme — named after the word “meth,” which shows up in its software code — was carefully designed to evade the anti-fraud mechanisms the advertising industry has put in place in recent years. Digital ad fraud was projected to cost marketers more than $7 billion in 2016, according to a study by the Association of National Advertisers and White Ops.
To carry out the operation:
1. The Methbot forgers first took numeric internet addresses they controlled and falsely registered them in the names of well-known internet service providers.
Among those were Comcast, AT&T and Cox, as well as fake companies like AmOL. This allowed the thieves to make it look as if the web traffic from Methbot’s servers in Dallas and Amsterdam were really coming from individual users of those internet providers.
2. The forgers then associated the addresses with 571,904 bots designed to mimic human web surfers.
Embedded in the bots’ web browsers were fake geographic locations, a fake history of other sites visited and fake logins to social networks like Facebook. “The bots would start and stop video just like people do and move the mouse and click,” Tiffany said.
3. The perpetrators connected the bots to the automated advertising networks that sell unsold ad space for thousands of websites.
A bot would pretend to visit a website like CNN.com, and the ad networks would conduct a microsecond bidding war against one another to show a brand’s video ad. But instead of going to the real CNN, the bot’s web browser would go to a fake site that nobody could see, and the ad would play there.
4. Finally, the system would report fake data to the ad networks and advertisers to convince them that humans had watched the ad on the real content site.
“It would send just the right kind of metrics back to look like real live audiences that were logged into Facebook and watching videos all day,” Tiffany said. The thieves then collected payment for the ads.
The report did not name the advertisers tricked by the fraud.
David Hahn, the executive vice president of strategy at Integral Ad Science, an advertising security firm that competes with White Ops, said the Methbot fraud affected just a tiny portion of the ad traffic of his own clients.
“There are new bots and new ways in which the bad guys are trying to figure out ways around our technology all the time,” he said.
White Ops said the thieves received high prices for the fake ad views, garnering an average price of $13 per 1,000 video views. Overall, the botnet delivered 200 million to 300 million fake ad views per day and brought in $3 million to $5 million in daily revenue, according to the company’s analysis.
White Ops released the full list of fake internet addresses and impersonated websites so that fraud-detection services and ad networks can block them. The company has also shared its findings with U.S. law enforcement authorities and is working with them to further investigate the fraud.
Tiffany said the use of bots to steal ad revenue is not new in the industry, but it “has never happened at this scale before.”
He continued, “It all adds up to the most profitable bot operation we’ve ever seen.”