Graeme Dawes - Fotolia

Why ad fraud botnets have become so hard to stop

White Ops CEO Michael Tiffany talks with SearchSecurity about why ad fraud campaigns are so successful and what can be done to stop the spread of ad fraud botnet infections.

Ad fraud botnets have become so difficult to detect and so effective at generating fraudulent ad views that some...

campaigns are generating millions of dollars in a single day.

Cybersecurity vendor White Ops recently issued a report on such an ad fraud campaign known as "Methbot," which was raking in between $3 million and $5 million a day. According to White Ops, the Methbot campaign was generating approximately 300 million fraudulent "views" for video ads a day and charging roughly 3 cents per view.

White Ops CEO Michael Tiffany said these types of successful ad fraud campaigns are common today, thanks to threat actors using more sophisticated malware that's harder to detect. White Ops has recently focused its efforts on the problem of ad fraud, which it estimates is costing the advertising industry more than $7 billion a year globally. The security startup has aimed to disrupt these cybercrime operations by rooting out the ad fraud botnets behind these ad fraud campaigns.

Tiffany spoke with SearchSecurity earlier this year about the growing problem of ad fraud and what can be done about it. In part two of the interview, he discusses the economic model for ad fraud campaigns, how the malware has evolved, and how prevalent ad fraud infections are within enterprises. Here are excerpts from the conversation with Tiffany:

How does White Ops approach the problem of ad fraud differently than other companies?

Michael Tiffany: The state-of-the-art approach for fraud detection before White Ops came along was batch analysis -- essentially machine learning looking for traffic patterns that are off the baseline. But that's an imprecise science, and it takes a learning period. No one had the ability to direct detect the malware in the first place. So what we do is detect fresh infections of an ad fraud botnet right from the start. We're not saying there's ad fraud because the click-through rates were 0.5 percent higher than normal -- instead we say "Oh, that Kovter [ad fraud malware]." And it's an entirely different kind of conversation with companies when you have that level of precision. It's not about asking companies to trust our data science over their data science.

How big of a problem are ad fraud infections for enterprise users?

Tiffany: Seventy percent of the successful ad fraud traffic we see in the U.S. is coming from residential IP addresses and consumer devices like desktops, laptops and tablets. Broadly speaking, the web traffic coming from enterprises is better. But we saw on one occasion quite a bit of ad fraud traffic coming from an IP address block that we knew was associated with one of the biggest banks in the U.S. So that was a little eyebrow-raising. And we knew the security guys at this bank; we told them that we saw a lot of traffic that we know originates from malware. So they said, "No kidding? Can you hook us up with some POCs [points of compromise] so we can investigate?" and so we scrubbed the data and anonymized it for them. They investigated it and got back to us and said "Oh my god, the hotspots you told us about were all exit points for guest Wi-Fi," which made sense. So there are some ad fraud infections in enterprises. But when you look at defense in depth in the enterprise, where there's often some endpoint security, but more importantly there's also a bunch of network security layers, that seems to be shutting down a lot of successful ad fraud. Otherwise, we wouldn't see the ratios that we're seeing between residential and commercial IP addresses. So I think this does draw into focus the fact that consumers are broadly under-protected. The past couple decades of effort to make computers harder to break into has not actually resulted in computers that are harder to break into.

What have you learned through your research about how these ad fraud campaigns work?

Tiffany: What we've learned is that the traffic brokers aren't running ad fraud botnets. They're just the interface between the people that want to buy traffic and the botnet operators. And if you're a botnet operator, what you're really in the business of doing is infecting new computers with your malware. And if you can put together a 10,000-node botnet, then you could've put together a 20,000-node botnet. So the eventual discovery of your infections is built into your model. The game is to just infect new computers at roughly the same rate as your existing infections are getting caught. There's always this fresh supply.

How do the economics work for the individual cybercriminals behind these ad fraud campaigns? Are they contracted to write malware and infect systems on behalf of companies that sell traffic? Or are there other forces at work here?

Tiffany: If you're the guy running the ad fraud botnet, the actual product you sell is 10 million unique visitors per hour. That's your offer. And there are two different types of buyers. There are some people who operate websites that are just purpose built for fraud. Those sites will have content, and they'll look legitimate. For example, look at "" -- there's real content there, but they have more ad inventory available for AdX [Google AdExchange] than The Daily Mail. And that doesn't make sense. It seems impossible for to be more popular than The Daily Mail and have the third most ad impressions in the UK. So if you want to operate that kind of ad fraud operation, it's actually stupid to make any one domain that popular. The smarter thing to do is have a hundred domains and send a little bit of bot traffic to each of them and spread it out.

We've seen some of the most outrageously high fraud exposure in what is some of the most sophisticated ad buying we've ever seen.
Michael TiffanyCEO of White Ops

The other type of buyer is the bot broker that publishers buy traffic from. And of course, they don't say "Hi, I'm your friendly neighborhood criminal front operation!" -- they call themselves an "ad tech audience platform" or something like that. So when publishers buy that traffic, it doesn't feel like it's this crime. And sometimes, those guys are just middlemen for other guys who are fronting for the real botnet operator. So the money may go from the advertiser to the publisher who pays a guy who pays another guy who then pays another guy that is actually running the botnet. And of course, each one of those guys is marking up the traffic. So at the end of the chain, the botnet operator is selling his visits for something like 0.01 cents per visit. And the publisher may be paying 1 cent per visit because it's getting marked up along the way.

Are there ad fraud operations that use more sophisticated malware to generate botnet traffic from business and residential sources and can therefore charge more money? I'm thinking of the Rolls Royce of ad fraud botnets. Do those exist?

Tiffany: I think there is almost a waterfall of monetization with fresh infections. Let's say you're using the Rolls Royce of malware for ad fraud, and you just freshly popped a bunch of machines. And at that point, nobody knows that those machines are part of a botnet. So who's going to pay the most for a visit from those computers? The answer is someone who is monetizing video advertising, because that has the highest CPMs. If you're doing video advertising, you only want to buy the Rolls Royce of botnet traffic because video buys are expensive, which of course means every advertiser is going to be employing every ad analytics platform they can get a hold of to make sure the traffic for their ads checks out. Video ad fraud is harder; you need to build your bot out of an HTML5 engine, it has to load plugins and it has to have a mouse that will move around. Video tends to attract the more elite adversaries because there's a higher bar for the malware, but it's also where you can make the most money per infection.

So if you're buying video ad views, the only traffic you're willing to pay for is the fresh traffic that checks out according to everyone and has high viewability and engagement. The broker of that traffic is going to charge 1 cent, 2 cents, 3 cents or more. Then, let's say the infection of that malware has been around for a while, and the ad analytics start flagging traffic from those consumers as suspicious. At that point, the high-end video publisher isn't going to want to buy that traffic anymore -- but the market for traffic from that botnet hasn't gone to zero. Maybe some other person who's monetizing on an ad network will buy that traffic, and he won't pay 2 cents a visit but he'll pay maybe 0.5 cents a visit. You might think there'd be no customers for those botnets that have been around a long time. But not all advertisers know about this ad fraud thing.

Do you expect the quality of the malware to increase, given how much money is at stake?

Tiffany: Yes, absolutely. It's already happening. There's a strong survivor bias in this game. Everyone who is not wickedly good at evading detection and hiding in the noise already died off before White Ops even showed up. The players that are still alive and in this game in 2016 are either new entrants who are trying the obvious stuff or they're the survivors who know how to hide. And that makes the game harder for the good guys.

And we've seen some of the most outrageously high fraud exposure in what is some of the most sophisticated ad buying we've ever seen. I'll give you an interesting case: A major brand advertiser has a website where consumers can interact with and configure the product. And they were dividing their buying into different funnels -- top, middle and bottom funnels. And when they ran White Ops, they found a shocking percentage of fraud in their bottom funnel buying, which surprised all of us. It turned out that part of the audience they had defined in the bottom funnel were people who had already visited the website and interacted with the product configurations. So what they were doing was targeting people with ads that they identified as having the advertiser's own first-party cookie. And that's a reasonable strategy -- target the folks who have already visited your site but hadn't bought anything yet in order to tip them over the edge. And surprisingly for everyone involved, including us, there were ad fraud botnets that were visiting their website and picking up their cookies. And again, there was nothing wrong with the strategy and the advertiser's buying algorithms were awesome. But it was the company's own first-party cookie pool that was poisoned and being used against it. So the malware and the ad fraud schemes are definitely becoming more sophisticated.

Next Steps

Learn how a malware obfuscation technique uses HTML5

Find out how to obtain the right threat intelligence metrics for your needs

Read more on the most important endpoint security features for enterprises

Dig Deeper on Malware, virus, Trojan and spyware protection and removal