Methbot? More Like Mehbot.

01/06 By Jason Shaw

Jason Shaw, Director of Data Science, Head of the IAS FraudLab

Earlier this week, news broke of “Methbot,” a supposed new large-scale online advertising fraud operation. According to the announcement, Methbot generates non-human traffic primarily affecting video advertising, and snatches advertisers’ budgets away.

After careful examination of our system by the IAS FraudLab, in accordance to the list of compromised IPs released, we confirmed that our models detected and prevented this fraudulent traffic. What’s more interesting, and consistent with many other platforms’ findings (see herehere, and here), is that traffic coming from these IPs was very low in volume – less than 0.03% of the billions of impressions we see a day.

So as head of our FraudLab, I’m intrigued by all the excitement surrounding Methbot – when something old becomes new. And something small becomes big.

Is Methbot a whole new type of ad fraud?
While the most interesting feature of Methbot is the use of falsified IP address registrations, this is not a new type of ad fraud.

In the past years we have uncovered datacenter-based operations using proxy servers to obscure their origin. In those instances, they have opted to use malware-infected PCs to supply the proxy servers, guaranteeing residential IP addresses.

The choice of Methbot to acquire data center IP blocks and falsify registration details is remarkable, not because the operation of the bot but the upfront investment it required – estimated at $4 million in the original report.

Is Methbot the most sophisticated bot out there, evading detection from players like IAS?
Simply put, no. Methbot is a low tech implementation using a new strategy. The bot’s use of Node.js shows a relative lack of sophistication. And our own intelligence on the originators of Methbot has shown that this was their first try at putting together a botnet like this.

In addition, the report asserts that Methbot could evade fraud detection and fool viewability measurement. They did attempt to cover their tracks through spoofing the user agent and mimicking different environments. But any comprehensive fraud detection technology should already be looking for these signals. The bots within the Methbot operation behave like most standard bots out there.

Furthermore, the DIY setup and interference with third-party JavaScript libraries backfired: IAS measured no impressions as in view from Methbot identified sources. While Methbot was clicking, mousing over, and interacting with the video in an elaborate attempt to mimic human behavior, the bots had already outed themselves.

Do we have a billion dollar problem?
Estimating the cost of anything in advertising is notoriously difficult, with very few firms well-positioned to assess the full lifecycle of an ad impression across supply channels, verticals, geographies, and audiences. Particularly problematic is the translation of bid requests into served impressions.

The majority of impressions offered for sale programmatically go unsold, and this is especially true in low-quality inventory often trafficked by bots. This was certainly true in the case of Methbot.

While the botnet spoofed URLs, sometimes targeting premium publishers, it was not generally successful in getting its impressions to monetization. In our own system, we observed a significant imbalance between what was offered for sale and what was actually purchased.

Have the fraudsters behind Methbot recouped their investment in IP address allocation? Probably. Have they extracted over a billion dollars? Doubtful.

Final thoughts
IAS measures billions impressions a day and we see the impact of known and unknown bots on our industry. While Methbot has certainly reached celebrity status, in the grand scheme of things, this is one of the countless bots and permutations of bots that impact brands and publishers on a day-to-day basis.

That’s why IAS invests heavily in data science, behavioral and network analysis, browser and device analysis, and targeted reconnaissance including deconstruction of malware. Ad fraud is an always evolving arms race, and my team of information security professionals and resident hackers remains committed to eradicating it from our ecosystem.

If you would like to learn more about ad fraud, the available botnets, and malware in the market, feel free to download our research.

Ad fraud: the essentials guide
The bot papers: Avireen
The bot papers: Poweliks