On November 10, Aleksandr Zhukov, the “king of fraud,” as he called himself, was sentenced to 10 years in prison and ordered to pay over $3.8 million in restitution:
“[He] was convicted by a federal jury in Brooklyn of four counts of a superseding indictment charging him with wire fraud conspiracy, wire fraud, money laundering conspiracy, and money laundering. The charges arose from Zhukov’s sophisticated scheme to defraud brands, ad platforms and others in the U.S. digital advertising industry out of more than $7 million.” (DOJ)
The Department of Justice said that between September 2014 and December 2016, Aleksandr Zhukov and several co-conspirators carried out the digital advertising fraud through an alleged advertising network Media Methane, hence the name “Methbot” for the scheme.
Before we dive deeper into the technical mechanics of how Methbot operated, it is important to understand the scale of the Methbot scheme and why it was one of the biggest advertising frauds of all time.
At its peak, 200 to 400 million video ad views per day were faked by using over 2,000 different servers with over 650,000 residential IP addresses. With a relatively high CPM for video ads, ranging from $3 to $36, it is estimated that the scheme earned its operators $3 to $5 million in ad revenue per day! The Methbot operation spoofed over 6,000 domains with over 250,000 URLs and targeted high-value marketplaces including private marketplaces (PMPs).
In a nutshell Methbot delivered real ads from real advertisers and advertising networks to fake and non-existing users (bots) via fake and spoofed websites. The bots used were very sophiticated, pretending to be real users by visiting the spoofed domains through a fake browser, faking mouse movements, scrolling the page, starting and stopping a video player midway and falsely pretending to be logged in to Facebook (DOJ).
With the overall strategy explained, let us have a look at some more technical mechanisms the Methbot operation used.
Methbot used over 2,000 physical servers located in data centers in Dallas, Texas, and Amsterdam, the Netherlands. Each server ran multiple instances of the Methbot browser component and a proxy in order to obfuscate the IP address.
Ad fraud operated from data centers is usually easy to detect due to various reasons, one being the IP address. Therefore, most ad fraud operations infect private computers through malware. Once infected, the botnet uses the IP address of the infected device and runs fake browser sessions in the background without the victims’ knowledge. This approach entails hard and continuous work, as new computers need to be constantly infected while existing infections are detected and cleaned by anti-malware vendors and other tools.
Methbot’s operators took a different approach: they rented over 650,000 different residential IP addresses with fake registration details and made the bots appear to be real American Internet users coming from legitimate Internet service providers (ISPs) such as Verizon, Comcast, and AT&T.
The custom software running the Methbot operation used several open source libraries to add the required features.
On top of proxying the bot traffic through various residential IP addresses, Methbot was able to simulate a real browser in several different ways:
In order to get higher CPMs, Methbot spoofed URLs in the call for a video ad, pretending to be a premium publisher website. It did this in 3 simple steps:
In summary, the creators of Methbot have spared no effort to create the best botnet possible. They even went a step further and reverse-engineered the logic of the most widely used fraud detection vendors in order to fool their systems and not be detected as suspicious traffic.
One thing should be very clear by now: Methbot was one of the biggest and most sophisticated ad fraud schemes of all times. Using thousands of servers with hundreds of thousands of different IP addresses and various techniques to circumvent existing anti-fraud systems is not very common, even today.
The dimension of the Methbot scheme was huge, so it is no wonder that Methbot also made our list of the biggest ad fraud cases of the past 5 years.
Protect your business against botnets like Methbot and get an independent opinion on the quality of your ad traffic by signing-up for a free trial with us.