Nmedia - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Massive ad fraud campaign Methbot profits exceed $3 million per day

News roundup: A report finds the ad fraud campaign Methbot makes more than $3 million daily; plus, new Linux malware targets SSH, the latest on the Shadow Brokers and more.

A massive cybercrime operation has been making millions of dollars a day by generating massive amounts of phony video ad impressions, according to a new report.

Researchers at cybersecurity vendor White Ops Inc. uncovered a bot farm, dubbed Methbot, that makes between $3 million and $5 million per day by conducting ad fraud by impersonating legitimate websites, running on custom browsers, and faking click rates and social media logins. Methbot -- so called because of the reference to "meth" in its code -- primarily focuses on video ads that are worth three cents per view, and "watches" about 300 million of them per day, targeting and spoofing more than 6,000 domains.

"Because White Ops is only able to analyze data directly observed by White Ops, the total ongoing monetary losses within the greater advertising ecosystem may be larger," the report states. This makes Methbot significantly larger and more profitable than other ad fraud campaigns, such as ZeroAccess, which makes approximately $900,000 per day, and Chameleon, which makes approximately $200,000 per day.

Methbot runs out of around 1,000 dedicated servers that operate from data centers in the U.S. and the Netherlands. White Ops researchers discovered Methbot by tracking a previously known bot signature called "C3," and they noticed that C3 had mutated into Methbot before the end of October 2016. Methbot continues to produce massive amounts of ad fraud, and it adapts to avoid detection by vendors, according to White Ops.

Data center-based ad fraud campaigns are typically easy to detect, and they rely on continually infecting new home computers. But the group behind Methbot found ways around the usual challenges.

"Methbot operators invested significant time, research, development, and resources to build infrastructure designed to remove these limitations and provide them with unlimited scale," according to the White Ops report. "They used dedicated servers to run proxies in order to hide the single origin source of their operation. Using falsified documents, the perpetrators were able to obtain or lease 571,904 real IP addresses, putting them to work generating fraudulent ad calls that appeared to come from legitimate residential Internet providers such as Verizon, Comcast, Spectrum, and others. The value of these IP addresses alone is over $4 million today, according to figures posted by IPv4 Market Group."

The White Ops report highlights the need for more transparency between publishers and their advertisers to help prevent Methbot and other ad fraud campaigns from having such a drastic effect.

"A combination of human best practices and technological vigilance by verification companies can help the industry close ranks against these threats and increase certainty through transparency for everyone across the advertising spectrum."

In other news:

  • A new malware called Linux/Rakos is targeting Linux servers and devices with attempts to brute-force SSH logins, similar to the Linux/Moose attacks. Once Linux/Rakos compromises the servers and devices, it is able to add them to a botnet and potentially use them for other malicious activities. This malware starts scanning the web for SSH protections from a limited number of IP address, and then spreads to more targets. Linux/Rakos targets embedded devices and servers with open SSH ports and weak passwords. Once enough devices and servers are infected and the botnet is assembled, the attackers can use it for distributed denial-of-service attacks or spam. Security researchers suggest enterprises reboot the affected systems, reconnect to the device using SSH/Telnet and run certain processes, since the malware isn't able to withstand a reboot, but the system would still be susceptible to repeated compromise.
  • The health data and personal information of more than 750,000 people may have been compromised after a May 2016 phishing attack on the Los Angeles County government. The attack targeted 1,000 county employees, and 108 were tricked into providing usernames and passwords to their accounts. While 10% is a relatively low rate of phishing victims, the impact was still significant, highlighting the severity of the threat posed by phishing attacks. The compromised data is thought to include names, birthdates, Social Security numbers, license numbers, bank account information and medical information of residents that had contacted or used the county's public services. There are no reports of the information being sold or released, but the L.A. County district attorney's office traced the attack to Nigeria and issued an arrest warrant on Dec. 22. The alleged attacker, Austin Kelvin Onaghinor, was charged with nine felony counts, including unauthorized computer access and identity theft.
  • Proposed changes to an Australian law could put cybersecurity researchers in legal hot water for reporting on cyberattacks and data breaches. These proposed changes to The Privacy Act of 1998 were put forward by the attorney general's office and aim to introduce provisions that "prohibit conduct related to the intentional re-identification of de-identified personal information published or released by, or on behalf of, Commonwealth agencies in a generally available publication, and intention disclosure of re-identified information." As a result, a security researcher that discloses information that had been previously "de-identified" could face up to two years in prison. If the changes pass and become law, defendants will have to prove their innocence, rather than the prosecutor having to prove their guilt beyond a reasonable doubt.
  • A new report from Flashpoint suggests that the hacker group The Shadow Brokers did not hack the NSA, but instead received the cyberweapons data dump "from a rogue insider." The Shadow Brokers recently put the NSA data up for sale on a ZeroNet site, allowing Flashpoint to assess the data. "Based on Flashpoint's analysis of the recent data release," states the report, "Flashpoint assesses with medium confidence that the stolen information was likely obtained from a rogue insider. Flashpoint is uncertain of how these documents were exfiltrated, but they appear to have been copied from an internal system or code repository and not directly accessed through external remote access or discovered on any external staging server." The report also indicates that the stolen documents The Shadow Brokers received were from July 2013, though they were not put up for sale until 2016.

Next Steps

Learn how enterprises can defend against malvertising

Discover how Hummingbad malware enables click fraud

Find out how click fraud malware evolved into ransomware

Dig Deeper on Malware, virus, Trojan and spyware protection and removal