You are using an older browser version. Please use a supported version for the best MSN experience.

Russian Fraudsters Stole Up to $5 Million per Day With Fake Video-Ad Views, Security Firm Claims

Variety logo Variety 12/20/2016 Todd Spangler
© Provided by Variety

A sophisticated Russian-based cybercrime ring has spoofed online-video advertising on a massive scale, generating up to 300 million bogus video views daily and raking in upwards of $5 million per day from U.S. advertisers, according to a report from security firm White Ops.

Some 6,111 domain names were targeted by the ring, dubbed by White Ops as “The Methbot Operation” because of references to meth in the code used to perpetrate the fraud. Those include,,,,,,,,,,,,,, and, according to White Ops.

The “Methbot” crew targeted premium programmatic video-ad inventory, and made the impressions appear for sale on ad markets as premium ad spots on name-brand websites. The fraudsters operated hundreds of servers from data centers in the U.S. and Amsterdam, and used a custom-written web browser to reduce the likelihood of detection, according to White Ops. The Methbot operation also faked the data collected by viewability-measurement providers, including video time watched and engagement actions like mouse movements.

The report from White Ops, a privately held company based in New York City, has not been independently verified. White Ops has an interest in publicizing its findings, because it sells verification and optimization solutions to the advertising industry. But the company did provide a statement from Mike Zaneis, CEO of the Trustworthy Accountability Group (TAG), a digital-advertising industry consortium, to bolster its claims.

“This particular attack highlights the massive scale of the fraudsters and their growing sophistication,” Zaneis said in a prepared statement. “Given the most advanced feature of this operation — its forged IP space — we believe TAG’s information sharing platform will allow responsible industry actors to mitigate the threat quickly and effectively.”

On Tuesday, TAG organized a global conference call with more than 100 participants — including reps from brands, agencies, publishers, online platforms and other trade groups — to put a plan into action for defeating the Methbot fraud scheme, according to Alanna Gombert, senior VP of technology and ad operations for the IAB and GM of IAB Tech Lab.

“Any threat to the industry is an unpleasant discovery, but we came together very quickly as an industry to pull people together in a very short time frame,” said Gombert, who added that White Ops did “an amazing job” of thoroughly documenting the fraudulent activity.

Methbot has used a network of proxies running on 571,904 unique Internet Protocol addresses, which were falsified to appear as if they came from large ISPs including Comcast, Verizon, AT&T and Cox Communications, White Ops said. The company said it has notified law-enforcement agencies and is working with them to investigate the bot ring.

The ad rates the Russian criminals were able to illicitly charge ranged from $3.27 to $36.72 per thousand views, with an average cost per thousand (CPM) of $13.04, White Ops said. The company consulted with AD/FIN, a programmatic media analytics company, to compile estimates for cost of advertising on the Methbot URL list.

White Ops said that in September 2016, it detected a “mutation” in a previously low-volume bot signature — and on Oct. 5, the Methbot network began to “scale aggressively,” reaching as many as 137 million daily impressions by the end of that week. By mid-October, White Ops said, it was detecting 3 billion to 5 billion bid requests per day from Methbot across multiple ad platforms, and it spread to affect 32 of its advertising clients by the end of the month. The company did not identify the affected advertisers.

Asked whether White Ops should have sounded the alarm sooner — given that it says it discovered the increase in Methbot activity more than two months ago — IAB’s Gombert said she believed the company acted prudently to conduct due diligence in a timely manner. “You have to test your hypothesis,” she said.


More from Variety

image beaconimage beaconimage beacon