We Got Lucky with Methbot; Let’s Not Take it for Granted

December 2016 saw the outing of Methbot, a botnet controlled by a single group in Russia, operating out of data centres in the US and the Netherlands. According to White Ops, responsible for bringing Methbot’s work to light, it was generating USD$3-5m (£2-3.4m) in fraudulent revenue per day by targeting the premium video advertising ecosystem. Writing exclusively for ExchangeWire, Steve Sullivan, VP, Partner Success, Index Exchange, explains how the attention-grabbing headlines surrounding Methbot don’t do anything to address the real issue of these fraudulent activities.

Decisive action by the digital advertising industry resulted in the prevention of a potential loss of revenue to fraud after White Ops’ released information on Methbot at the end of last year. This fact was lost in the hyperbole of headlines that appeared to be selected more for their ability to generate clicks than to convey facts. The headline should have read, ‘Industry Dodges Multimillion Dollar Fraud Bullet’ – because we did. However, the bitter truth of our vulnerability will remain as long as we continue supporting an opaque ecosystem.

This is reminiscent of 2013, when a botnet named ‘Chameleon’ made headlines. Chameleon is a traditional, residential IP-based botnet – probably the most common source of malicious invalid traffic (IVT) – consisting of the PCs of real humans. In contrast to Methbot, the reveal of Chameleon was synonymous with the discovery of a massive waste of ad expenditure – heretofore unnoticed by the industry. This was not the case with Methbot, because of some fundamental differences in their structure.

When you think of Chameleon versus Methbot, consider the qualities of water versus tempered glass. Water can be poked, prodded, and even dynamically increased or decreased in volume, all while retaining its essential form and function (Chameleon). Tempered glass is highly engineered and purpose-built to be clear, strong, and solid. However, any assault on its edge will result in a crack and end a few seconds later in a catastrophic loss of integrity. The sheet of tempered glass literally shatters into thousands of tiny pieces. Chameleon botnet is a fluid, ever-changing mass of infected PCs belonging to real people. Any mass approach to shutting it down would also result in a material loss of real human impressions.

Steve Sullivan, VP, Partner Success, Index Exchange

Steve Sullivan, VP, Partner Success, Index Exchange

By contrast, the robotic component of the Methbot operation consisted almost exclusively of servers located in data centres. These are computers with no mouse, no keyboard, and no human sitting behind a monitor – 100% of the impressions coming from these systems are fraudulent. The architects of Methbot are impressive: they built a colossal ecosystem that would allow them to spoof domains and generate traffic at a scale previously unknown to the ad industry. But they built a sheet of tempered glass; and White Ops nicked the edge.

In the months leading up to Black Friday and Cyber Monday, Methbot activity grew steadily and levelled off around 300 million (mostly video) impressions per day. White Ops released their findings through Trustworthy Accountability Group (TAG), fewer than 60 days after Methbot’s peak activity. Because publishers don’t typically get paid within 60 days of the sale of their media, everyone in the industry, who downloaded the Methbot IP list, should have been able to simply stop payment for the impressions from those IPs. In contrast to the normal botnet discovery announcement, we were able to prevent a potential multibillion dollar loss. Furthermore, the swift and collective action of the industry resulted in the complete shutdown of Methbot as a viable operation.

Those who build systems to steal from the ad industry are diligent, organised, creative, and persistent. So why would they build something so fragile as Methbot? Maybe they were counting on the possibility that none of the IVT detection companies would call them out. For that matter, if any IVT measurement companies admitted after the fact they knew about the bot all along, to them I would say: “For Shame.” The only reason to have understood Methbot and not taken action would have been to maximise profits and/or justify their purpose by not actually solving the problem – like a physician treating the obvious symptoms of a patient’s disease, while carefully avoiding the one definitive cure.

Whatever their reasoning, the architects of Methbot are smart enough to know their creation had a quintessential achilles heel. In recognition of this fact, I can only assume they’ve hedged their bets with some equally devious and comprehensive scheme, yet to be discovered. What is it? Who knows. What I do know is that it takes an industry, working together, making hard choices, being willing to say “no” to easy money and building transparency into all aspects of our business. As stated in Index Exchange CEO Andrew Casale’s blog post, Methbot: A Call to Action:

“…this is not the first time a major botnet has been identified, nor will it be the last.”

While the industry lucked out in the recent case of Methbot, let’s use this as yet another warning in the wake of so many. 2017 must be the year the industry fully commits to collaboration and transparent practices. Let’s clean up our act before we’re taken advantage of again.