Security researchers White Ops have uncovered a digital advertising fraud operation that is stealing as much as $3–$5 million per day from U.S. brand advertisers and media companies. The fraud, which White Ops has dubbed “The Methbot Operation” after references to “meth” in the bot’s code, is believed to have stolen $180 million so far.

The Russia-based Methbot Operation has been targeting premium programmatic video inventory, generating as much as 200-300 million non-human impressions per day. These impressions appear for sale on programmatic advertising markets as premium ad spots on name-brand websites. White Ops says that 6,111 domains, drawn from the most popular sites on the web, have been victimized this way. Unlike typical ad fraud bots that rely on infected residential computers and standard embedded web browser engines, Methbot creates enormous scale by operating hundreds of servers from data centers in the U.S. and Amsterdam, and employs a custom-written web browser to reduce the likelihood of detection.

"Methbot elevates ad fraud to a whole new level of sophistication and scale," says Michael Tiffany, co-founder and CEO of White Ops. "The most expensive advertising on the internet is full-sized video ads, on name brand sites, shown to users who are logged into social media and who show signs of 'engagement.' The Russian operators behind Methbot targeted the most profitable ad categories and publishers. They built their infrastructure and tools, and compromised key pieces of architectural Internet systems to maximize their haul. Methbot is a game changer in ad fraud and further evidence that the issue of human verification is constantly evolving and innovating, not abating."

Tamer Hassan, co-founder and CTO of White Ops, adds, "The Methbot operators clearly have invested research and development time, money and operational know-how to create such a large-scale and effective ad fraud operation. Whether it's the acquisition of IP addresses and domain names, the deep understanding of real-time bidding in programmatic video, or the characteristics of buyers and sellers in the market, the Methbot operators have worked hard to seem legitimate at every level and to ensure unparalleled levels of control, ownership and resiliency/durability."

Methbot produces fraudulent web page visits and ad impressions by posing as more than 6,000 top websites. Using a network of proxies running on 571,904 unique IP addresses, it camouflages the traffic to seem legitimate by falsifying IP registrations to impersonate large ISPs including Verizon, Comcast, AT&T, Cox, CenturyLink, TWC and others. For comparison, Facebook currently operates with approximately 270,000 IPv4 addresses.

The operation also feeds false information to geolocation information providers, and spoofs the data collected by viewability measurement providers, including video time watched and engagement actions like mouse movements. The group is not using a shared cyberattack infrastructure or black market bots/compromised end devices. Their operation is based on custom software and generated completely out of data centers.