The operation is unprecedented in its complexity, the security firm says, and may have cost the hackers as much as several hundred thousand dollars per day. To start with, the scammers registered over 6,000 fake domains that spoofed legitimate sites like ESPN and Fox News, then generated over a quarter million fake URLs that could only do one thing: host video ads.
Played on the right, high-profile sites, a video ad can garner $13 per 1,000 views on average, according to White Ops. The hacking crew (dubbed Ad Fraud Komanda or AFK13) was able to trick the ad service algorithms into playing the video ads on its faked domains, rather than the real sites. (White Ops declined to mention which digital ad companies were affected.)
The massive fraud operation represents a significant threat to the integrity of the ecosystem.
That was part one of the trick, but it doesn't amount to anything unless someone clicks on the video. That's where the bot network comes in -- AFK13 hired data center space and aimed traffic from more than 570,000 bots at its faked sites. It also studied ad networks' quality verification processes, put in place to defeat ad-impression fraud schemes.
With that data in hand, it illegally obtained IP addresses from at least two regional Internet registries, showing the bot traffic as coming from Verizon, Comcast and other US-based ISPs. The seemingly American bots then duplicated the actions of real users via fake mouse clicks and movements, along with social network logins and other tricks.
Working with media intelligence firm AD/FIN, White Ops figures that AFK13 racked up 300 million impressions, valued at up to $3.9 million, per day. That would make it the largest ad fraud scheme ever, easily besting the ZeroAccess botnet. It's not clear how the fraudsters obtained payments (presumably, the ad networks need banking and contact information to send the money) but we've reached out to White Ops for more information.
The security firm has partnered with the Trustworthy Accountability Group (TAG) to spread the word about the scam, and provided a list of known Methbot IP addresses and fake URLs and domains. TAG told Marketing Land that it "the massive fraud operation represents a significant threat to the integrity of the ecosystem," adding that it has alerted 130 compliance officers at the largest digital ad companies.