Video Ad Fraud Botnet Bags Up to $1.3 Million DailyHyphBot Botnet Has Infected at Least 500,000 Windows PCs
A large network of hacked computers is sneakily viewing high-priced video ads, enabling fraudsters to reap upwards of $1.3 million in daily ad spending, Danish advertising technology company Adform warns.
The fraud is being driven by a botnet called HyphBot that's composed of at least 500,000 Windows PCs in the United States that are running Google's Chrome browser and which have been infected with malware, says Copenhagen-based Adform. HyphBot bots force the PCs to visit bogus websites where legitimate ads have been placed, artificially inflating viewership figures.
The online advertising industry has long waged a campaign against such fraud. But fraudsters continue to deploy a variety of tricks to try and inflate illicit advertising revenue by making it appear that legitimate people are clicking or viewing legitimate ads.
Battling these attacks is complicated, however, by the highly automated nature of today's online advertising industry and fraudsters' increasing sophistication.
The Association of National Advertisers, which counts ad giants Google and Facebook as strategic partners, estimates that bot-related fraud will cost the industry $6.5 billion this year. The good news is that figure represents a 10 percent decline since 2016.
Adform has published a 14-page white paper about HyphBot. But Adform says it has limited the technical information contained in the paper to try and prevent fraudsters from bypassing the defensive measures it has developed.
"This report outlines how big ad fraud continues to be, but also how difficult it is to tackle," says Jerome Segura, lead malware intelligence analyst at Malwarebytes, who reviewed the report but was not a party to it. "Criminals are abusing the most profitable inventory, namely video ads, and leveraging infected machines around the world to load those ads and therefore profit from them."
Adform says fraudsters have infiltrated at least 14 marketplaces and platforms where online advertisements are sold. On those marketplaces, they offer links to content for legitimate publishers, such as The Economist, and offer for sale supposedly legitimate ad inventory.
In reality, the links are invalid and appear to have been constructed from a freely available gigantic list of words, Adform says. To advertisers, however, these URLs will appear to be high-quality locations for placing their ads.
Once the ad placement has been purchased, HyphBot's network of hacked computers visits the site where it has been placed. But it's actually a different URL than was offered on the marketplace. Behind the scenes, the malware that has infected the computer pushes the browser to a completely different domain.
"In this case, browser windows are opened unbeknownst to the user and launched to spoofed domain names [belonging] to legitimate publishers," Segura says. "While the address bar may indicate that the user is visiting forbes.com or some other publisher, the content is actually served from a rogue server."
HyphBot is spoofing about 34,000 domains, including some belonging to premium publishers, Adform says. That's essentially lost revenue for those publishers, as well as a waste of money for any entities which place the advertisements.
HyphBot Beats Methbot
Adform says the scale of the operation is between three to four times larger than Methbot, another large-scale advertising fraud operation described by security firm White Ops in December 2016. Methbot generated upwards of 300 million fake impressions for video ads per day (see Russian Gang Netted $3M Daily via Video Ad Fraud).
HyphBot's fraudulent ad impressions could range from 400 million to 1.5 billion requests per day, Adform says. The majority of these impressions are for video advertisements, which cost the most to place.
It's unclear how the gang behind HyphBot have been able to offer their bogus ad inventory. But in November, the Internet Advertising Bureau launched a new initiative designed to weed out fraudulent actors who manage to creep into ad sales systems.
The "Ads.txt" program lets publishers create a list of advertising exchanges that are authorized to sell advertising for their platforms. Ad buyers should check the list before buying, IAB says.
"The adoption of Ads.txt remains slow but hopefully will increase as the incentives to combat ad fraud are very clear," Segura at Malwarebytes says.
Meanwhile, Adform says a cleanup effort designed to stop the effectiveness of HyphBot is underway.
"We contacted the majority of exchanges two days after the analysis when we had hard proof that the traffic was fraudulent," the report says. "However, it took more than a week until we started to see a significant reduction in fraudulent traffic being sent."