Russian hackers are stealing between $3 million to $5 million per day from US brands and media companies in one of the most lucrative botnet operations ever discovered.
On December 20, researchers from White Ops said the scheme, dubbed "Methbot," is a Russian operation set up to watch up to 300 million video-based adverts automatically every day.
These adverts, displayed on legitimate domains owned by companies including the Huffington Post, Economist, Fortune, ESPN, Vogue, CBS Sports, and Fox News, are used to generate additional revenue through advertising sponsors which help keep these businesses afloat.
However, White Ops says Methbot capitalizes on this revenue generation by targeting the most expensive advertising on the web -- such as full-blown video adverts on branded websites -- and is programmed to show signs of "engagement" to fool ad providers into thinking the content is being watched legitimately.
Faked clicks, mouse movements, social network login information, and typical "working hours" are all methods to keep the operation under wraps.
What makes matters worse is that the Methbot operators are impersonating these legitimate domains, touting themselves to advertising networks, and placing these ads on fake websites.
The ad marketplace believes these ads are being legitimately shown to website visitors and are therefore paying for non-existent eyeballs, while the real company itself loses out on advertising revenue.
"Methbot synthesizes many of the telltale signals monitored by advertisers and anti-fraud firms, the operation has avoided notice and become exceedingly profitable," the researchers say.
It is believed that Methobot creates an estimated 200 million to 300 million fraudulent video ad impressions per day, targeting roughly 6,000 publishers and generating $3 million to $5 million in revenue every 24 hours.
Profits from each provider range from $3.27 to $36.72 with the average being $13.04 per 1000 registered ad impressions. Once you multiply this by over half a million compromised IP addresses, the money rolls in.
The Methbot operation is headquartered in Russia but utilizes data centers in Texas and Amsterdam, using forged IP records to bypass blacklist systems. Each slave PC in the botnet is then registered to a major US ISP to make them appear to come from residential homes across the United States which further conceals Methbot's presence.
The revenue generated which ends up fraudulently into the hands of Russian cybercriminals far exceeds what has previously been recorded through similar botnet schemes. ZeroAccess is thought to have collected as much as $2.7 million per month, while the Chameleon botnet took up to $200,000 per day and HummingBad was able to generate roughly $300,000 per month.
"At this point, the Methbot operation is so entrenched in the infrastructure, the only way to shut it down is to make the details public, and for all parties involved to take direct action," the research team says.
"White Ops has stopped Methbot from monetizing on our customers' platforms, but it is clearly making money on many other platforms."