We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not a subscriber? Subscribe now for unlimited access to online articles.


How Russian Hackers Stole $5 Million a Day from U.S. Advertisers

Using clever bots to reinvent an old click fraud technique turned out to be lucrative.

American advertisers have been duped into paying for millions of dollars of online ad placement every day by Russian criminals armed with a network of bots.

Security research company White Ops has uncovered what it calls the “largest and most profitable ad fraud operation to strike digital advertising to date.” Hackers created an automated system for racking up ad views that was sophisticated enough for nobody to notice the problem for two months—costing advertisers as much as $180 million in the process.

The trick was simple. The criminals acted as an advertising firm, promising to host ads on sites like Fox News, ESPN, or CBS Sports. In reality, they built fake Web pages that no real person would visit. Then they used a sophisticated army of bots, known as Methbot, scattered across 500,000 different U.S. IP addresses, to view the ads.

The smart part is that those bots were programmed to be active during the daytime, appeared to be using Chrome on a Mac, and even had fake Facebook accounts. To anyone checking stats, they looked like real people. "[It] is a beautiful simulacrum of a real browser," explained White Ops CEO Michael Tiffany to CNN. "This is the kind of theft in which nothing has gone missing."

Fake traffic is bad news for advertisers, because they have to pay up without a human eye ever seeing the promotion. And in this case, it really hurt: the approach netted the hackers between $3 million and $5 million per day.

It’s by no means a new idea, of course. Hijacking ads using robotic clicks has been a problem for as long as pay-per-click advertising has been online. Way back in in 2005, New Scientist suggested that Google’s AdWords platform could be at risk from such attacks. But the latest scam is notable for its scale and smarts.

Trouble-making bots have run amok in 2016. Over the past few months, an army of Internet-connected devices has been corralled and controlled to take down large swaths of the Internet. The bad news is that, unlike the ad-scamming bots,  they’re growing in number, up for hire—and dangerous.

(Read more: White Ops, CNN, “IoT Botnets Are Growing—and Up for Hire,” “Security Experts Warn Congress That the Internet of Things Could Kill People”)

Keep up with the latest in Security at Business of Blockchain 2019.

May 2, 2019
Cambridge, MA

Register now
More from Connectivity

What it means to be constantly connected with each other and vast sources of information.

Want more award-winning journalism? Subscribe to Print Subscription.
  • Print Subscription {! insider.prices.print_only !}*

    {! insider.display.menuOptionsLabel !}

    Six print issues per year plus The Download delivered to your email in-box each weekday.

    See details+

    12-month subscription

    Print magazine (6 bi-monthly issues)

    The Download: newsletter delivery each weekday to your inbox

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.