Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Best Answers

  • SvenSven Accepted Answer
    nice read, thanks for sharing.
  • jonseojonseo UK Accepted Answer
    Wow, that's cheating on a *really* large scale :)
  • Accepted Answer
    Wow. $5m per day. Not bad. Yet Google pulls $Bns and everyone loves them for their data farming, manipulative ads and gawd knows what else.

    BH til I die, mo-fos.
  • edited March 2017 Accepted Answer
    Would be interested to know the running costs of such a network with 800k dedicated IPs. According to the article posted it's $4m. Seems steep though.

    I'm not involved in video nor the CPV model but, sounds like they were renting loads of VPS and IPs and forging the UA/footprints/etc to mimic real users via dodgy domains. As per the PDF:

    Video advertising on premium web sites fetches some of the highest prices in digital
    advertising. Methbot hijacks the brand power of premium publishers by spoofing URLs in
    the call for a video ad in order to attract advertising dollars in the following way:
    Counterfeit page:
    Methbot selects a domain or URL from a list of premium publishers,
    and fabricates counterfeit pages. The page contains nothing more than what is needed
    to support an ad, and the publisher’s server is never contacted.
    Offer inventory:
    Using the industry standard VAST protocol, Methbot requests a video
    ad from a network, using one of Methbot’s identifiers so they will get credit for it.
    Produce fake views and clicks:
    The video ad is loaded through a proxy and “played”
    within the simulated browser. Any specified anti-fraud and viewability verification code
    is also loaded and fed false signals in order to make the activity seem legitimate.
    To date White Ops has observed 250,267 distinct URLs across 6,111 distinct domains that
    were generated by Methbot in the act of impersonating a user visiting a web page.

    Nothing particularly clever here, although the simplest ideas often work best. They obviously had some serious financial backing.

    But what I don't get is how were they making money out of this successfully. Surely a handful of Russian adsense accounts siphoning off millions of $ in commissions every day would be spotted pretty quickly.

    If I was the White Ops guy I'd have kept quiet and setup my own network using their code...
  • Accepted Answer
    @JudderMan seems like hpyerbole on the part of the author, seems to be more likely within the range of $25k to $250k (paupers) according to this

  • edited March 2017 Accepted Answer

    Ok, it looks like they weren't targeting Adsense or Youtube much, but those embedded players like Brightcove and then networks like AdNexus... Still I am not sure how they could monetize it to the tune of $Xm a day/week/whatever without being questioned by the companies paying them. Unless the companies knew or didn't care, but this seems unlikely. Of course they setup Shell companies/fronts that looked legit but still..

    If a russian guy started generating $5m a week in commissions I'm sure you'd start to ask questions. If they had done some due diligence then they would have spotted those fake sites with zero value and autogen content in an instant.
  • edited March 2017 Accepted Answer
    @Kaine I guess we will never know, unlikely they will be convicted, and are sitting pretty in Russia, safe and sound.

    The reason I'm paying so much interest in this story is because I want to know how they managed to acquire those IP blocks and falsely register them as domestic US broadband ones... Anyone have any idea? I haven't tried it myself but I heard there were significant checks in place to prevent that, a bit like SSL certs... No idea if true or not, but thinking how this can be tailored to tricking Google for BH purposes etc... :)

    Thinking about it, given they forged USA IP details, they could have easily forged the payee names too. Let me guess, AdNexus have been paying $5m a day to "Goog1e Inc" :D
  • Accepted Answer
    @Kaine I spent last week researching this and it turns out according to Brian Krebs that they just hunted round for expired IP blocks that used to belong to domestic DSL operators (based on my research last week, you can still find the requests for it, so I'm pretty sure this is accurate).

    So for example if a bunch of IP addresses belonged to Time Warner in 2007-2012 but they didn't need them any more and let them expire, then this guy came along and re-registered them, putting the original company details back in the whois. A bit like expired domains.
  • SvenSven Accepted Answer
    this is just a tool based on normal HTTP Requests. To simulate anything else would require way more than this. Im sorry but any javascript based stuff is not going into this tool.
  • edited March 2017 Accepted Answer
    @Kaine why don't you contact the guy who wrote the script or at least ran the Methbot network, or the one who registered to use the IP addresses? Both are in Ukraine/Russia, so they may sell it to you, etc.

    If you send me PM if interested I can put you in touch with him. Or you can find them yourself on Google quite easily.  It is my intention to contact them both in due course.
  • Accepted Answer
    @Kaine the solution, then, is to move to Russia :D


  • KaineKaine
    edited March 2017
    "But what I don't get is how were they making money out of this successfully. Surely a handful of Russian adsense accounts siphoning off millions of $ in commissions every day would be spotted pretty quickly"

    It is precisely here that they have made strong, since to my knowledge nobody seems to get there or it keeps it well.

    There is a fashion I like in Sven's proxy scraper and which allowed me to earn some money by clicking on the ad place on my siters (not adword) : The custom http tool.

    I had requested optimizations to improve the thing unfortunately I did not manage to get them. Not far from 900Euros of gains but as the clicks was litigious only half were paid. With the emulation style at the Methbot at the end of the click, it would be possible.

    Have you see the level:

    Sample of Methbot generated URLs 

  • KaineKaine
    In my opinion they used several accounts, advertising on huge networks. A little here and there. I imagine you all have more or less at a time trying to cheat to generate more and surely notice that it was not obvious :)
  • KaineKaine

    Was not that the IP forged?

    It is possible to reverse things for example on a transparent proxy.

    Your IP becomes the proxy, and the proxy a normal IP.

    From this observation, I imagine that "emulating" any IP range becomes possible :)
  • KaineKaine
    edited March 2017
    The news is good, will you try?

    I would like to try again with that:


    @Sven ;Is there a way to optimize the use of this tool?

    In order to generate an activity for advertisements. For example I can currently click on a pub (following the link) but a mouse activity for example with a random time would be a more valuable.

    I try it and it already works in reality but that's to avoid a ban. Connections that leave immediately are not natural.

    For the curious: 

    8839 users agent =
    32 country ip-range =

    For exemple: 6898 real IP range for United States (millions in the end): > > > > > > >  ...

    .... >
  • KaineKaine
    edited March 2017
    A random time on page + emulation mouse (absolutely anything) ? ^^

    I am still learning but as soon as possible I would try to do it in java. In my opinion the most complicated will be to redo the equivalent of the HTTP Tool.
  • KaineKaine
    edited March 2017
    @Spunko2010 ;I intended to do it on a small scale on campaigns of my choice. With Bot like Methbot, you do not have to be afraid of being woken up by the Swat fracturing your door in the early morning lol.

    If the guy is willing to sell it, it will surely be expensive. Server-side logistics is likely to be as important as the obligation to have an offshore bank account.

    The game is certainly worth the candle but we must remain cautious.

    They live in Russia so no problem, but for us it's another story.
  • KaineKaine
    Why not :D
Sign In or Register to comment.