How Russian Hackers Stole $5 Million a Day from U.S. Advertisers
Using clever bots to reinvent an old click fraud technique turned out to be lucrative.
American advertisers have been duped into paying for millions of dollars of online ad placement every day by Russian criminals armed with a network of bots.
Security research company White Ops has uncovered what it calls the “largest and most profitable ad fraud operation to strike digital advertising to date.” Hackers created an automated system for racking up ad views that was sophisticated enough for nobody to notice the problem for two months—costing advertisers as much as $180 million in the process.
The trick was simple. The criminals acted as an advertising firm, promising to host ads on sites like Fox News, ESPN, or CBS Sports. In reality, they built fake Web pages that no real person would visit. Then they used a sophisticated army of bots, known as Methbot, scattered across 500,000 different U.S. IP addresses, to view the ads.
The smart part is that those bots were programmed to be active during the daytime, appeared to be using Chrome on a Mac, and even had fake Facebook accounts. To anyone checking stats, they looked like real people. "[It] is a beautiful simulacrum of a real browser," explained White Ops CEO Michael Tiffany to CNN. "This is the kind of theft in which nothing has gone missing."
Fake traffic is bad news for advertisers, because they have to pay up without a human eye ever seeing the promotion. And in this case, it really hurt: the approach netted the hackers between $3 million and $5 million per day.
It’s by no means a new idea, of course. Hijacking ads using robotic clicks has been a problem for as long as pay-per-click advertising has been online. Way back in in 2005, New Scientist suggested that Google’s AdWords platform could be at risk from such attacks. But the latest scam is notable for its scale and smarts.
Trouble-making bots have run amok in 2016. Over the past few months, an army of Internet-connected devices has been corralled and controlled to take down large swaths of the Internet. The bad news is that, unlike the ad-scamming bots, they’re growing in number, up for hire—and dangerous.
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today