Russian Botnet Responsible for the Theft of Millions Every Day

A group of Russian based hackers are stealing an estimated $3 to $5 Million dollars every day as part of the most lucrative botnet ever discovered.  The White Ops security group discovered the botnet, dubbed “Methbot,” which exploits video advertising on a massive scale.

YouTube receives nearly a billion unique visits every month, so it is no wonder that it has become one of the primary advertising platforms for marketers.  Users from all age demographics visit YouTube for everything from news, to how-to videos, to entertainment and personal video blogs.  Since users choose which videos they watch and often continue onto related content, it becomes easier to target advertisements on YouTube than any other media.  For this reason, advertisers are willing to invest big money to pursue these markets.

With the amount of money exchanged over video advertising, it was only a matter of time before someone found a way to exploit the system.  Enter Methbot, which allows hackers to fraud the system on multiple fronts.  First, Methbot chooses a target that is likely to attract high-end advertisers.   From there the botnet simulates user video interactions; this includes fake clicks, mouse movements and commenting if the site allows it.  On its own, this would waste advertiser money but would not be beneficial to the perpetrator; this is where things get a bit more complicated.  Methbot operators impersonate legitimate domains and use the fake visitor numbers to convince advertising networks that the ads are delivered to a real audience.  The ad marketplace in turn bids on high preforming websites, which in this case are completely fraudulent, while legitimate websites lose out on any money they would have received from ad revenue.

Like all botnets, Methbot functions by taking advantage of individual users PC’s and internet connected devices.  This allows the botnet to use the combined power of all devices to accomplish its goals.  Normally, botnets are used to distribute malware or setup spyware operations, both of which can quickly return a fast profit but are often easy to detect.  In the case of Methbot, the individual users within the botnet are not attacked in anyway; instead their compromised IP addresses are used to fool advertisers spam protection systems.  For this reason, Methbot has managed to stay undetected until now.

Ultimately, botnets such as Methbot are hard to shut down completely.  Most of these operations are run out of countries that have little means to prosecute offenders, if they can be caught at all.  Botnets by their nature are hard to pin down because they use a network of infected machines, often numbering in the hundreds of thousands.  The best defense is to make all details of the operation public and for individuals and in this case, advertisers, to take direct action if they suspect something is wrong.  It may not be possible to catch the perpetrator behind a botnet but it is possible to mitigate the damage they can do by revealing their scheme.