
Hackers Make $5M a Day by Faking 300M Video Views - rbanffy
http://www.forbes.com/sites/thomasbrewster/2016/12/20/methbot-biggest-ad-fraud-busted/#280f3a6c4ca8
======
geocar
Normally a "real browser" can't run 100s of ad players at once, but
"methbrowser" is a node.js application with a C module that speaks Flash's
plugin protocol directly. It simulates a dom, runs JavaScript in a node VM,
but doesn't have to do any of the messy rendering that things like PhantomJS
have to.

It was discovered years ago because:

* Their IP stack was acting like Linux[1]

* Their flash player said "I'm Linux"

* Their user agent said other things (random user agents)

* Their DNS traffic was going UK, but the hosts were coming out of the US

[1]: [http://geocar.sdf1.org/browser-
verification.html](http://geocar.sdf1.org/browser-verification.html)

~~~
nightbrawler
Here's an awesome technical writeup about MethBot:
[http://go.whiteops.com/rs/179-SQE-823/images/WO_Methbot_Oper...](http://go.whiteops.com/rs/179-SQE-823/images/WO_Methbot_Operation_WP.pdf)

~~~
yeezyseezy
The part that confused me is when they claim to have obtained MethBot source
code, but never mention how.

~~~
japaw
> The part that confused me is when they claim to have obtained MethBot source
> code, but never mention how.

>

On page 19 in the The Methbot Operation report they state that _‘White Ops
detection technology was able to use a JavaScript language feature called
“reflection” to gather extensive, detailed information about its inner
workings.’_

I have personally never heard about JavaScript reflection before, but it
appear to be a debug method for one object to dump information or data about
another object.

Maybe the White Ops software loaded some JavaScript that was able to dump much
of its environment and send it back to White Ops?

~~~
untog
I don't know more than anyone else about this particular situation, but I can
imagine how JS reflection works. Something like:

    
    
        let test = function() { return "hello";}
        test.toString()
    

returns

    
    
        "function() { return "hello";}" 
    

It's not too difficult to imagine that pairing that with some JS parsing would
allow you to slowly crawl your way around an app and gather the app structure.
Crazy, and fascinating idea.

~~~
geocar
If WhiteOps did that, they didn't need to. A nodejs vm escape was sufficient
to get process.mainModule.require and from there, it's game over.

------
echelon
I've long wondered if the best ad blocker would be a client that simply
randomly clicks ads instead of blocking them. If you send fake clicks and
spoof looking like real activity, that will pressure both advertisers and the
websites that display ads. If _millions_ of people do this...

~~~
riprowan
The problem is that while this might work great on a large scale, it breaks
down at the individual level: why would _I_ want all that ad-clicking activity
associated with my account / cookie / IP?

~~~
supernumerary
The supposed value of the ad-clicking activity profile is that it pertains to
you, if a bot is making your ad-click decisions your profile gets scrambled,
ostensibly making you harder to target when ad-tech reaches new heights of
persuasiveness...

------
riprowan
So one way this fraud is committed is by consuming the content (youtube
videos, spotify plays, etc) and taking in the direct revenue streams.

The bigger picture is virality. Nobody wants to watch your video with 100
views. Same video with 10M views, now everyone has to watch it.

The music business has been doing this so much for so long that it's to the
point where I automatically distrust everything that's "popular" as having
been gamed.

~~~
techer
This is a decent place to find videos that haven't been gamed:
[https://www.reddit.com/r/DeepIntoYouTube/](https://www.reddit.com/r/DeepIntoYouTube/)

~~~
sangnoir
I'm not sure how big that subreddit is, but it sounds like the place I'd go to
get views - that is game my videos if I were unscrupulous.

------
kelvin0
I know some legitimate businesses depend on ads for revenue, but it really has
become ridiculous. As a 'normal' internet user, being bombarded and having
websites complaining about my ad blocker is starting to piss off quite a bit
of people.

When I need something, I buy it online most of the time (if possible).

I'm kinda happy someone is gaming that whole system against them, maybe it
will help transform the ad ecosystem into something that does not seem to be
obtrusive and annoying to most people.

Quite open to counter points if anyone accepts explaining them (instead of
simply down voting this comment)

~~~
jstandard
I'm not sure I can see how this would really help transform the ad ecosystem,
even on a sustained basis. The hackers did this enrich themselves at the
expense of companies wanting to advertise a product. If the victimized
companies were selling low value or dubious products (a value judgement) like
magical diet pills, then it might bankrupt a few of them in the short-term.

Maybe those companies who lost money go back and try to sue the ad exchanges
because they didn't adequately detect the click fraud, so then it's the ad
companies who take the hit.

In the end, what actual change do you think would be enacted by companies who
wish to advertise their products being the victim of fraud?

~~~
kuschku
> In the end, what actual change do you think would be enacted by companies
> who wish to advertise their products being the victim of fraud?

They stop advertising through the web, and we can get rid of the ad-driven
startup bubble, and get rid of most ads on the web in general.

~~~
jstandard
I often see the argument that we should "get rid of most ads on the web in
general", but have yet to see a reasonable proposal for what replaces that in
a way that works for companies wanting to reach consumers with their products.

To play devil's advocate, it would be a huge loss to society if advertisements
were no longer viable due to constant fraud.

Information would flow a lot less freely because then content providers would
be forced to switch to directly charging for their content rather than giving
it to you for "free + ads" as they do currently. It wouldn't just be "low
value" content dropping off, "low value" is another individual value
judgement.

It would become much harder to connect products and services or become harder
to separate actual stories from long-form product placement.

I don't find much wrong with the concept of "advertising". I do take issue
with certain types of "bad" or malicious ads, but I'm also generally not
receptive to most advertising.

However, ads exist because they are effective at connecting users with
products.

~~~
kelvin0
I agree, Ads in theory do help connect people or businesses to services and
products they might need/want ...

But, it becomes a race to the bottom, and it is to be expected that every
business will want more eyeballs on its products and try to outdo their
competitors. The collateral damage of this advertisement frenzy is with people
who are bombarded and overstimulated by product placement and a relentless
marketing machine. Consumers become skeptic and dulled by the efforts and
advertising becomes the pain in the a __it is now.

~~~
jstandard
It isn't just in theory but also in practice do ads connect people with
products. Actual transactions are happening from real people clicking ads and
companies are realizing real returns on marketing dollars spent.

"Getting rid of most online ads" doesn't remove a business' need to connect
with consumers in the most effective, lowest cost way possible. It also
doesn't change a news agency's need to get paid for the content it creates.

I'm not disputing that digital advertising can get out of hand. Malicious ads
are bad. Ads with dark UX patterns are bad. We likely have different
definitions of "bad ads".

However, if it's the number of ads you're concerned about, you generally have
a choice to pay to remove them to continue consuming the content you're
interested in or product which you are using.

I still don't see how your original comment about criminals defrauding
businesses out of their money and inflating the cost/risk of advertising
somehow puts everyone in a better place.

~~~
kuschku
What actual purpose do ads fulfill?

Do they help you in making any decision in what to buy? No, they just mislead
you, because you don't end up buying the best product, but the one that spent
the most marketing dollars, meaning the product where the price is inflated
the most (as, ifthey didn't pay for marketing, you could have gotten it
cheaper).

Instead, you should make your decisions on what to buy based on independent
product tests.

Such as the tests from Stiftung Warentest — subscribing to their tests is the
best decision you could do, as they constantly test all types of products in
comparison tests, you get the results in a nice readable matrix per category,
and can directly see which is the best product for your use case. (Same with
similar tests in other newspapers, comparing a hundred different types of
headphones, or child seats for the car, or banana juices, etc).

Advertising is harmful because it means the market is not a well-working free
market anymore, as the buyers don't buy the best product anynore, but the one
with the highest marketing budget.

~~~
jstandard
Here's a quick definition of the actual purpose of advertising:
[https://www.entrepreneur.com/encyclopedia/advertising](https://www.entrepreneur.com/encyclopedia/advertising)

Based on the way you describe business and what you think is objectively the
best way to purchase products, my hunch is that you have little experience
working in a company or making products you need to sell to others.

I mean this in a most genuine way: if you have any aspiration of managing a
company or even building your own, it will greatly help you to learn more
about why marketing and advertising are important to business. You simply
won't succeed without them.

------
downandout
They actually got some of this article wrong. These guys didn't create 6,000
domains. They spoofed 6,000 different premium domains in the referer that they
sent to the ad networks. A list of the fake referrers they had their bot send
is here [1] and the domains are here [2]. They didn't own these domains; they
simply told their bot to use one of the 250K or so URLs on one of these 6K
premium domains (including domains like nbc.com, nytimes.com, etc) as the
referrer, which is set by the browser.

The more concerning part is that it didn't raise any red flags on the ad
exchanges that some random corporation was getting paid to display ads on
nbc.com and nytimes.com etc. That part makes no sense to me. They also managed
to purchase blocks of IPV4 addresses in the names of major residential ISPs
such as Comcast. That part had to be an inside job.

[1] [http://methbot.s3-website-us-
east-1.amazonaws.com/URLs.txt](http://methbot.s3-website-us-
east-1.amazonaws.com/URLs.txt)

[2] [http://methbot.s3-website-us-
east-1.amazonaws.com/domains.tx...](http://methbot.s3-website-us-
east-1.amazonaws.com/domains.txt)

------
angusb
Can anyone explain why it's the ad buyers that lose out in this case, not the
ad network? Surely it makes way more sense for the ad networks to bare the
financial responsibility of preventing ad fraud and not the ad buyer? (The ad
equivalent of a money-back-guarantee)

How is an ad buyer ever supposed to make an informed decision about how
susceptible their chosen ad vendor is to fraud?

~~~
rcarrigan87
At this point, advertisers just assume some level of fraud is part of the deal
with any platform.

As long as you're hitting your target ROI than advertising on still makes
sense.

~~~
mtanski
The world can be divided up into two types of advertising. DR (Direct
Response) or Branding/Awareness.

The goal of DR is drive an immediate action, for ex. a purchase or news letter
signup. Branding/Awareness is more about keeping the brand/product top of mind
for the eventual time when the purchasing is actually done.

Usually small and mid-sized advertisers focus on DR. That's why you see a lot
of re-targeting type ads for buying products you abandoned in your shopping
cart (exception: large ecommerce).

Then you have large advertisers like the Fortune 500 and beyond. They know
that you're not making the purchase right there. Hardly any toothpaste, car,
$25k server ads or retirement account ads lead to a conversion
instantaneously. This is Branding/Product advertising. The hope is to keep
their product top-of-mind so you'll consider it when you're driving by the
dealership or in the toothpaste isle at Target. This is like your traditional
newspaper advertising. Traditional KPIs like CPA used in DR ads don't make
sense here. And, due to fraud CPC and CTR are not that useful.

A lot of brand/product advertisements don't have a good instantaneous KPI and
measuring long term ROI for a year long $25k server campaign is nebulous art
at best.

So to wrap up this story. The guys running this fraud operation were spoofing
"premium" video sites with $13.00+ average CPMs (this is high); they were
going for the most expensive inventory. The people buying ads on "premium"
video sites are not DR advertisers. The goal was to capture Branding/Product
advertisers dollars.

It's a bit of a misconception that all online advertising is ROI focused. This
was true maybe 4 years ago. With younger audiences (40 and under) consuming
more video content online versus linear television there's been in a influx of
branding dollars coming "premium" online video.

(Disclosure: My company Adfin provided data for financial estimate for this
anti-fraud operation done by WhiteOps)

~~~
anamoulous
The frusturating thing about this is how obvious it should be that the
publisher account getting paid for the impression is _not_ the premium
publisher that it said it was. If your account with, say, AppNexus is
registered to "Mikhail Gorsky's Ad Fraud Ring" and it's registering video
plays on espn.com/video at a $30 CPM, there are some very very basic
heuristics that AppNexus could run to determine there is something off about
this arrangement.

~~~
mtanski
That's my personal position.

The vendors that are letting the supply in (SSPs and exchanges) should do more
to verify the supply. This could verifying their supply id with provided
domain (would get rid of a lot of crappy arbitrage). Additional verification
on new suppliers who are generating more traffic. And longer net payment terms
for new suppliers to allow for clawing some of it back.

The problem is that many vendors are unwilling to do that. In many cases
because they still make money on fraudulent traffic / arbitrage that goes
through their platform. Or because they tend to be more accepting of bad data,
because adtech is so duct tapped together. People setup their tags/campaigns
incorrectly, adservers re-wrap urls, other incorrect rewrapping
(fraud/viewablity/attribution), bad javascript, bad publisher sites and
hostile browser environments. So they default to be more accepting to not lose
on that revenue.

------
syphilis2
I'm having trouble finding information about what laws cover "click fraud" or
"ad fraud". The article mentioned that this was illegal behavior, but never
provided any more detail. The closest I've gotten is US Title 18 - 1030,
though I'm not sure if the article is even talking about US law. I did stumble
across an article from 2014 arguing in favor of making click fraud a federal
crime, which cited this advertisement:

[http://www.legalmatch.com/law-library/article/click-
fraud.ht...](http://www.legalmatch.com/law-library/article/click-fraud.html)

~~~
magikbum
It could simply imply it's "illegal" due to the contract those publisher sign
with the SSPs and Exchanges that clear their inventory. i.e. "; iv) create
"forced visit" traffic; v) create invisible or nested IFrames loading pages or
ads; vi) intentionally falsify clicks: vii) modify or obscure display of ads;
viii) fraudulently generate requests or clicks; or ix) use any means of
artificially generating ad impressions or clicks, including third-party
services such as paid-to-click, paid-to-surf, auto-surf, and click-exchange
programs."

------
Animats
Better coverage from Krebs at [1]. But not much more hard info.

Maybe this will make the video ad industry unprofitable. One can only hope.

[1] [https://krebsonsecurity.com/2016/12/report-3-5m-in-ad-
fraud-...](https://krebsonsecurity.com/2016/12/report-3-5m-in-ad-fraud-daily-
from-methbot/)

------
baybal2
>196.62.32.0/20

They are not in true ad fraud. Those guys are not in PPV, but in counter
stuffing and "viralizing". They are former ebanners/ advmaker and
cyberonix/telemaster ad fraud detection people.

Their ops model is this: they sell promo service for content producers; after
upfront cost producers pay comission from monetisation revenue.

------
lsv1
The article doesn't explain how they made money, you need a relationship with
SSPs and Exchanges to make requests and monetize the impression, even if
you're just sending firing tracking pixels for creative view or complete, etc.

So how did these people make money? Are they for hire? Did they offer services
to spoof the publisher domain and make revenue out of thin air, taking a cut
from the pub?

~~~
ctrl_freak
I'm wondering this too. I used to work at a DSP and we had to deal with a lot
of clickfraud. Typically it took the form of: a shady publisher which has
somewhat legitimate content and has a relationship with one or more SSPs. Then
the publisher goes to "traffic growth" sites like cpmbux.com, and purchases
fake traffic. Those fake traffic sites own botnets which they leverage to
generate the fake impressions on those publisher's websites. Because there's
this separation between the two parties, even if the publisher gets shut down
by the SSP for engaging in clickfraud (there's still plausible deniability),
the fake traffic site can continue marketing themselves to other not so by-
the-book publishers.

I'm not sure if it's a similar arrangement here. The linked report makes it
sound like they own the publisher sites too, but it's hard for me to fathom
how they could maintain "legitimate" relationships with SSPs when they're
funnelling out millions of dollars per day. It goes without saying that it's
much harder to fake your way through the financial system.

------
jondubois
I wouldn't be surprised if someone told me that 95% of all ad clicks are fake.

I think I only clicked on an ad once in the past 10 years; it was because my
mouse was about to fall off the edge of the table and, in my moment of panic,
I accidentally pressed the left button.

Thankfully, my other hand saved the day with a swift 'Ctrl + W' movement.

------
jlebrech
coming from forbes who are playing 2 videos at once and you don't know which
ad you're watching or on which tab it comes from.

~~~
notoriousOIT
Yeah....

The 300x250 un-muted video in the upper left really irks me big time.

Garbage publishers are garbage.

------
phkahler
>> those bots "watched" as many as 300 million video ads a day, with an
average of $13.04 per faked view.

Who on earth pays that kind of price to have someone watch their ad video?
Serious question.

~~~
niklaslogren
The article has since been updated, now it mentions $13.04 per 1000 views:

>> those bots "watched" as many as 300 million video ads a day, with an
average payout of $13.04 per thousand faked views.

~~~
77pt77
> $13.04 per thousand faked views

I thought the usual payout was an order of magnitude lower than that.

Something like 1$ per thousand views

~~~
elcct
Probably $13.04 is what network takes for 1k views... publishers get scraps

~~~
77pt77
I seriously doubt the order of magnitude is right.

I'd really like someone with monetized videos to give some real input on this.

~~~
shawabawa3
I used to work on an online video platform where we were selling some
30-second unskippable video ads for £20CPM, so order of magnitude seems right
to me

------
intrasight
I'm not involved in ad tech, but am curious - isn't the easy solution for the
advertiser to only show ads on sites that they pre-approve?

~~~
notoriousOIT
They do whitelist. MethBot was faking URLs though so it's hard for platforms
to detect that in milliseconds. This goes to the IP level at this point with
that list posted online.

Our company is already getting asked to provide full reports by IP address to
see how far this goes.

~~~
gondo
isn't the whitelist bound to the user? i mean if i register account as a
publisher on some ad exchange, i should be asked for domains where i will be
showing my ads. in that case i can not simply report that my username is
generating traffic from cnn.com f.e. as this domain is not associated with my
account. or this is not how it works?

------
woogiewonka
Every major ad publisher knows or should know that a large portion of their ad
clicks are fraud. I knew this when getting into affiliate networks, it's just
cost of being in this business. The actual problem has been around since web
advertising's early days it's just that this particular case has been
discovered.

------
tluyben2
Is that the biggest? From 'the past' I believe (but no proof) that the fraud
on normal display ads was/is much higher. Bot generated ad clicks, bot
generated content to drive up ad prices etc should be much higher than $5m
even by individual hacker groups? Maybe video ad clicks are easier to fake but
worth less?

~~~
acveilleux
If you take the low estimate of 3m$ a day, this is $1B a year. The often
quoted figure I've seen for the size of the ad fraud "market" is $7B. That's a
big chunk of a "market" that is mostly cottage industry. And as a bonus, they
target the highly profitable end of the spectrum.

------
dfar1
This kind of news makes me smile. Not because I agree with the wrongdoing, but
because nobody likes annoying ads... specially when a big news/network site
decides to show the most "clickbaity" fake ads instead of anything relevant to
me.

------
conductr
There is some talk of prosecution of these hackers. Does anyone else disagree
with that??

Personally, I feel that a publisher of technology is responsible for ensuring
there are no "holes". If someone finds a hole and pokes around and uses it for
any reason, it should not be criminal.

If I found a way to methodically purchase all the pieces to win McDonald's
monopoly game, would that be criminal fraud? Or would it be negligence by
McDonald's? My view is the latter.

~~~
24gttghh
By that logic, one could argue shoplifting is permissible if the store doesn't
have video cameras on every inch of the establishment.

~~~
conductr
I see your point. And I know I am basically arguing against active laws.
However, I feel it should work different here. You're building a tool that
basically says 1) send clicks 2) get paid. That's your tool, nobody made you
build it, if you wanted to be safe - find your own clicks. In my view, it's
your responsibility to ensure any clicks you pay for are valid. If they are
invalid, it amounts to your partner broke the service TOS/AUP. In which case,
I see a case for civil damages sure but not criminal.

To counter with another analogy. Robbing a casino, criminal. Counting cards,
severely frowned upon but not criminally illegal. When you create a system
that users can game to their advantage, you are responsible for enforcing your
rules - it doesn't (or shouldn't) make it a crime when your rules are broken.

------
cylinder
The first line of the article calls them criminals.

Have they been convicted of any crime?

Is what they are doing illegal in Russia?

I hope these guys also sue this publisher for some extra income.

------
opaqe
I thought this was about videos on YouTube. Maybe this isn't new but my
suggestion box gets flooded by videos that are segments of longer content
(Louis ck shows/appearances, Zizek lectures). Maybe this is hand-curated stuff
by a bunch of independent channels but I'd be curious if this is done
algorithmically. At least the video segmentation part.

~~~
gtk40
There used to be 10 minute restrictions on video length.

------
relieferator
And they say crime doesn't pay

------
vdnkh
The technique to fetch the ads here is called "header bidding":
[http://digiday.com/publishers/wtf-header-
bidding/](http://digiday.com/publishers/wtf-header-bidding/)

------
rch
I wonder what happens to overall ad revenue if anyone really figures out how
to stop fraud.

------
narrator
The problem with ads is that they rely on the trusted client security model.

------
silverbax88
> bots "watched" as many as 300 million video ads a day, with an average of
> $13.04 per faked view

How were they getting $13.04 per _view_?

~~~
puddintane
Article was corrected an hour or two ago.

"The article has since been updated, now it mentions $13.04 per 1000 views:"
(niklaslogren) [1]

[1]
[https://news.ycombinator.com/item?id=13220315](https://news.ycombinator.com/item?id=13220315)

------
danielw68
So have they been caught? Or are they still raking in the millions?

