Exchange Wire: We Got Lucky with Methbot; Let’s Not Take it for Granted

finger typing on keyboard

December 2016 saw the outing of Methbot, a botnet controlled by a single group in Russia, operating out of data centres in the US and the Netherlands. According to White Ops, responsible for bringing Methbot’s work to light, it was generating USD$3-5m (£2-3.4m) in fraudulent revenue per day by targeting the premium video advertising ecosystem. Writing exclusively for ExchangeWire, Steve Sullivan, VP, Partner Success, Index Exchange, explains how the attention-grabbing headlines surrounding Methbot don’t do anything to address the real issue of these fraudulent activities.

Decisive action by the digital advertising industry resulted in the prevention of a potential loss of revenue to fraud after White Ops’ released information on Methbot at the end of last year. This fact was lost in the hyperbole of headlines that appeared to be selected more for their ability to generate clicks than to convey facts. The headline should have read, ‘Industry Dodges Multimillion-Dollar Fraud Bullet’ – because we did. However, the bitter truth of our vulnerability will remain as long as we continue supporting an opaque ecosystem.

This is reminiscent of 2013 when a botnet named ‘Chameleon’ made headlines. Chameleon is a traditional, residential IP-based botnet – probably the most common source of malicious invalid traffic (IVT) – consisting of the PCs of real humans. In contrast to Methbot, the reveal of Chameleon was synonymous with the discovery of a massive waste of ad expenditure – heretofore unnoticed by the industry. This was not the case with Methbot, because of some fundamental differences in their structure.

When you think of Chameleon versus Methbot, consider the qualities of water versus tempered glass. Water can be poked, prodded, and even dynamically increased or decreased in volume, all while retaining its essential form and function (Chameleon). Tempered glass is highly engineered and purpose-built to be clear, strong, and solid. However, any assault on its edge will result in a crack and end a few seconds later in a catastrophic loss of integrity. The sheet of tempered glass literally shatters into thousands of tiny pieces. Chameleon botnet is a fluid, ever-changing mass of infected PCs belonging to real people. Any mass approach to shutting it down would also result in a material loss of real human impressions.

By contrast, the robotic component of the Methbot operation consisted almost exclusively of servers located in data centres. These are computers with no mouse, no keyboard, and no human sitting behind a monitor – 100% of the impressions coming from these systems are fraudulent. The architects of Methbot are impressive: they built a colossal ecosystem that would allow them to spoof domains and generate traffic at a scale previously unknown to the ad industry. But they built a sheet of tempered glass; White Ops nicked the edge.

n the months leading up to Black Friday and Cyber Monday, Methbot activity grew steadily and levelled off around 300 million (mostly video) impressions per day. White Ops released their findings through Trustworthy Accountability Group (TAG), fewer than 60 days after Methbot’s peak activity. Because publishers don’t typically get paid within 60 days of the sale of their media, everyone in the industry, who downloaded the Methbot IP list, should have been able to simply stop payment for the impressions from those IPs. In contrast to the normal botnet discovery announcement, we were able to prevent a potential multibillion-dollar loss. Furthermore, the swift and collective action of the industry resulted in the complete shutdown of Methbot as a viable operation. (Continued…)

Read More at Exchange Wire

Leave a Reply

Your email address will not be published. Required fields are marked *