Methbot and 3ve: description, click fraud technologies, damage

[Man]

On November 10, 2021, Alexander Zhukov, the self-proclaimed "king of digital fraud," was sentenced to 10 years in prison and ordered to pay $3.8 million in damages. We wrote about this earlier.

The U.S. Department of Justice said that between September 2014 and December 2016, Alexander Zhukov and several co-conspirators committed digital advertising fraud through a purported advertising network called Media Methan.

Name	Methbot and 3ve (Eve)
Status	Eliminated
Description	Two of the largest digital ad fraud botnets were used to generate fake video ad views and were estimated to have earned fraudsters over $36 million between 2014 and 2018.

Contents
1. What is Methbot
1.1. Operating principle
1.2. Who became a victim
2. What is 3ve
2.1. Operating principle
3. Who created 3ve and Methbot
4. Methods of click fraud via Methbot and 3ve
4.1 Distributed Servers
4.2. Proxy network with a large number of residential IP addresses
4.3 Advanced open source technology stack
4.4 Simulating a real browser
4.5. Fake premium domains for higher CPM
5. Damage
6. Exposing the "Methbot"
7. Protection from click fraud and botnets

What is Methbot​

Methbot is the largest botnet designed for digital advertising fraud. This botnet was used to automatically watch video ads on fake websites. The operators of Methbot obviously invested a lot of money, time, and effort into developing their technology, as it was deceptively simple but deadly effective.

Operating principle​

The bots were malware-infected computers of third-party users, but most of the activity was controlled from centralized servers in the United States and the Netherlands. Dedicated proxy servers masked the real location of infected devices using real IP addresses obtained from them.

At its peak, Methbot is believed to have generated up to 400,000 false ad impressions per day across its entire digital infrastructure.

Who became the victim?​

Brands
An incredible number of fake domains were used for this – 250 thousand. All of them were clones of real popular sites. Among the resources were duplicates of such well-known and highly visited sites as:

The Wall Street Journal
The Mail Online
Accuweather
ESPN
AOL
BBC.com
Business Insider
CNN

In other words, if you were asked to name the most popular website, it was most likely on the Methbot team's list.

Advertisers and Marketers
Advertisers, for their part, saw it this way: video ads were shown on the above-mentioned well-known sites with a large number of views. All of them were paid for. In addition to views, the ads were supposed to lead to more clicks and sales. However, this did not happen.

What is 3ve​

The operators behind Methbot were also involved in the development of the 3ve botnet. As that network expanded, it became clear that Methbot was merely a training exercise for a more sophisticated and large-scale cybercriminal enterprise.

Indeed, the 3ve botnet was extremely complex, with multiple sub-circuits, bots, and Trojan-like malware to spread the code to more devices. In non-stop mode, the owners of 3ve generated more revenue from video ad views than the same “Metbot”, which was the largest botnet until now.

While both networks have much in common, 3ve was far more advanced, and became the basis for modern click fraud methods. Its key difference from Methbot was that 3ve relied primarily on remote infected computers. Both used compromised IP addresses to mask their activity and routed traffic through a huge list of fake sites.

Operating principle​

3ve was built on a complex infrastructure of three separate but interconnected botnets, all of which performed roughly the same operations. As with Methbot, the operators had access to a huge number of infected devices that they could control remotely. They used the zombie devices to open browsers and visit their own fake websites, then directed the bots to perform click fraud and fake views.

This method is no longer new, it is successfully detected and blocked by click fraud protection systems, but at that time no one knew about it.

The practice of click fraud on ads is not new today. But at the time, it was a cutting-edge approach — incredibly difficult to detect and block.

In fact, 3ve was exploiting other botnets that were active at the time, including Kovter and Boaxxe (aka Miuref), to obtain valuable IP addresses to mask their fraudulent activity or to conduct large bot attacks.

Who created 3ve and Methbot​

The creators of these large and complex systems were a team of cybercriminals, mostly from Russia and Kazakhstan. Alexander Zhukov, Evgeniy Timchenko, Sergey Denisov and Sergey Ovsyannikov were arrested and charged with conspiracy to commit wire fraud, money laundering, aggravated identity theft and conspiracy to commit computer intrusion.

At least five other members of this criminal network are still at large. The methods and processes used by hackers to commit click fraud serve as inspiration for many modern cybercriminals.

Click fraud methods via Methbot and 3ve​

Distributed servers​

The Methbot botnet used more than 2,000 physical servers located in data centers in Dallas, Texas, and Amsterdam, Netherlands. Each server ran multiple instances of the Methbot browser and a proxy server to spoof IP addresses.

Proxy network with a large number of residential IP addresses​

Ad fraud, where attacks originate from data centers, can usually be easily detected by various indicators, one of which is the IP address. To carry out most fraudulent operations, cybercriminals infect private PCs with malware.

Once infected, the botnet uses the IP address of the infected device and launches fake browser sessions in the background without the victim's knowledge. This fraudulent scheme requires continuous operation, since the devices being exploited are cleaned by antivirus programs, and the fraudsters constantly need new bots.

Methbot operators took a different approach: they rented over 650,000 residential IP addresses using fake login credentials and had bots impersonate real Internet users whose visits were made through legitimate ISPs.

Advanced open source technology stack​

The custom software that ran Methbot used several open source libraries to add the necessary functionality.

• js as the underlying JavaScript (JS) environment for executing JS code.
• /tough-cookie file for fake sessions and storing persistent identifiers, such as a Facebook login (*belongs to Meta, an organization banned in the Russian Federation). First of all, fraudsters used this technology to achieve higher efficiency rates, since information belonging to a specific user, and not an abstract indicator, is more valuable for the advertiser and the targeting model.
• cheerio is a library for parsing HTML markup and traversing/manipulating the resulting data structure.
• JWPlayer for requesting video ads and programmatically interacting with the video player.

Simulation of a real browser​

In addition to sending bot traffic through proxies using residential IP addresses, Methbot was also able to mimic real browsers in the following ways:

• User-agent: "Methbot" was able to spoof the user agent string, impersonating different browsers such as Chrome, Firefox, Internet Explorer 11, and even Safari.
• Operating system: Even the operating system was spoofed to simulate requests from Windows and different versions of macOS.
• Screen characteristics. Information about resolution, screen width and height, color settings, pixel depth - all these characteristics were faked.
• Browser extensions. The botnet creators even thought about adding information coming from different browser extensions.
• Simulating human interaction. Methbot implemented a random timer that simulated clicks on the website , and was also able to randomly simulate clicks in the video player itself, in order to achieve realistic bot behavior and outsmart any click-checking logic.

Fake premium domains for higher CPM​

To achieve higher rates, Methbot spoofed URLs to impersonate a premium publisher's site. The scammers did this in three steps:

1. Fake website. A URL was selected from a list of premium publishers (e.g. vogue.com, espn.com, foxnews.com). The system then cloned the site and placed exactly the content needed to run the video ad.
2. Proposal: Methbot requested video ads to be served on a site via an ad network using a Video Ad Serving Template (VAST) with its own unique identifier so that the ad impression would be counted.
3. Generating views and clicks with bot traffic. Video ads are viewed by bots visiting the clone site created in the first stage. They do this through residential proxies, so it looks like real users are watching the video ads. Moreover, Methbot downloads any code coming from the ad network for fraud control or viewability testing and injects false information into it.

In summary, the creators of Metabot spared no expense or effort to create the best possible botnet. The developers went further and rebuilt the logic of the most widely used click fraud detection and bot blocking services to fool their systems and hide suspicious traffic.

Damage​

At the height of their fraudulent activity, cybercriminals using Methbot were able to fake between 200 and 400 million video ad views per day, using over 2,000 different servers with over 650,000 residential IP addresses. With a relatively high cost per video ad impression (ranging from $3 to $36), experts estimate that the scheme was bringing in $3 to $5 million in revenue per day for its operators!

Methbot was able to spoof over 6,000 domains with over 250,000 URLs, compromising premium and popular resources, including private marketplaces (PMPs).

In a nutshell, Methbot served real ads from real advertisers and ad networks to non-existent users (bots) via fake websites. These were advanced and “trained” scripts that could impersonate real users. They visited cloned websites via a fake browser, simulating mouse movements, scrolling the page, starting and stopping the video player. The bots could even pretend to be social media users.

Exposing the "Methbot"​

When White Ops uncovered the full extent of this cyber fraud, they reported their findings to the FBI, marking the beginning of the end for Methbot. But that wasn't really the end of this massive and complex operation.

While this botnet was slowing down, its other successor was ramping up its activity. 3ve (pronounced Eve) was seen as a fairly unremarkable botnet performing low-level ad fraud on PCs.

However, in 2017, 3ve began to process more and more ad requests, with experts estimating between 3 and 12 billion views per day. But eventually, the culprits of this fraudulent operation that lasted several years and cost billions of dollars in damage were caught. Their techniques for deceiving advertisers have already been adopted by new cybercriminals. One question arises: is there any way to counter this?

Protection against click fraud and botnets​

The scale and sophistication of the Methbot and 3ve botnets remains impressive, and they may still be the most profitable ad fraud networks ever. Bot attacks like these are part of a larger click fraud problem that costs advertisers $23 billion annually.

This is a clear example of how any programmer with the skills to program and create automated scripts to implement a botnet can earn such fabulous sums.

Of course, advertising networks such as Google Ads, Yandex.Direct, VKontakte, Facebook, etc. are well aware of this practice. They have already implemented appropriate filters and mechanisms to protect against such fraud. But in reality, fraudsters are always one step ahead and can easily bypass them.

Many of the manual actions a marketer can take to protect against PPC ad fraud will generally have an effect, but the effect will be short-lived, ineffective, and incredibly time-consuming.