Tag Archives: tokyo online fraud detection

The massive Russian cybercrime operation stealing millions from advertisers – Inside ‘Methbot’

Security experts have uncovered what appears to be the biggest and most profitable advertising fraud scheme known to date.

In a report released Tuesday, cybersecurity firm White Ops mapped out a massive operation through which Russian cybercriminals are stealing millions of dollars from publishers and advertisers in the form of fake video views.

Nicknamed “Methbot” for the frequent references to the drug in its code, the ongoing scheme involves an army of bots whose sole purpose is to watch as many as 300 million video ads per day, thus tricking brand advertisers into paying millions of dollars for fake views.

The company believes it to be the work of a ring of Russian hackers, who researchers say have netted upwards of $180 million in profits since launching the operation in September.

While employing automated users to scam ads is nothing new — it’s the foundation of the multibillion-dollar ad fraud industry — the company says the staggering scale and technical intricacy at play here are unprecedented.

“This is an attack perpetrated against the entire industry,” says White Ops CEO Michael Tiffany. “It was robbing both advertisers and publishers, and it was operating at a level of sophistication that’s just unheard of.”

How it works

The whole operation takes place within a sort of Potemkin Village version of the internet located entirely within the bounds of Methbot’s servers.

To populate it, the hackers took over more than half a billion IP addresses — unique strings of characters designed to identify web users — from two major registries and broke them into chunks, which were then assigned to various internet service providers like Comcast and Verizon.

Doing so created the illusion that each of these millions of bots were real web surfers spread across America rather than programs operating out of one of two centralized data centers in Amsterdam and Dallas.

The perpetrators also built custom software designed to make the bots appear convincingly human — they mimicked clicks and cursor movements; installed fake cookies that indicated demographics, online browsing histories and other targetable traits; and even gave them fraudulent social network credentials that made it appear as if they were logged into Facebook or other social media accounts (though no such accounts actually existed).

This elaborate operation goes far and beyond that of your average ad fraudster, Tiffany says. In a typical operation of this kind, bots latch onto the addresses of actual people through malware so that hackers don’t have to go through the trouble of creating identities out of whole cloth.

“We’ve never seen anything like that before,” Tiffany says. “It’s just astonishing.”

But spawning this army of robo-users was just one piece of the puzzle; the cybercriminals also generated more than 6,000 imitation sites designed to resemble major outlets across the web.

These include fake versions of publishers like CNN, the New York Times, BuzzFeed and Mashable; platforms like Facebook, Yahoo and Quora; and even some brand websites like those of Air France and Pokémon.

The fake sites allowed the thieves to take advantage of a common form of arbitrage in the ad tech industry in which unsold ad space is bought from an outlet then resold at a higher price. The criminals would pretend to be reselling space on, say, CNN’s website through an automated ad exchange but then instead direct the ad to their shell version of the site that nobody could actually see.

There, the brand would unwittingly pay to have its video ad viewed solely by the millions of bots assigned to visit each of these sites.

As a whole, the operation racked up between 200 to 300 million views per day and bilked advertisers and media companies out of $3 million to $5 million in revenue.

Such intricate attention to detail might seem excessive for a scam that’s already considered to have the lowest risk and highest reward of any form of cyber crime.

But the whole plan was put in place in service of making the machine as profitable as possible at every level. Bots imbued with a targetable profile and brand-name outlets are worth much more to advertisers than unknown visitors to a no-name webpage, and video is the most expensive form of online advertising.

“By using these very sophisticated mechanisms to hack some of the architectural systems of the internet, they were then able to unlock much greater profit potential than other operations usually have,” Tiffany said.

What’s next

White Ops, which specializes in ad fraud detection, first took notice of the operation in October, when its system picked up on some of the bots. The rest of the scheme unraveled from there.

“We had this one thread to pull on, and then as we pulled on it, we uncovered layer upon layer upon layer of complex forgeries,” Tiffany said.

Now that the report is out, White Ops is releasing a full list of fake addresses and domains so that ad networks and other fraud detection firms can block accordingly. It is also working with U.S. law enforcement authorities to try to track down the parties responsible.

While the massive scale of Methbot might make other ad fraudsters seem like small-timers in comparison, ad fraud as a whole remains a huge headache for the advertising industry. A research report from an advertiser trade group last year predicted that it could cost digital advertisers around $7.2 billion this year alone.

Tiffany says it’s entirely possible that ad fraud rings of comparable scope are currently operating undetected. The murky nature of the crime makes it uniquely hard to suss out.

“It hardy ever leaves traces of the crime behind,” he says. “It’s such an extraordinarily successful form of theft because nothing goes missing.”

Security and Risk Online: Get ahead of online fraud this holiday season

security-and-risk-online-get-ahead-of-online-fraud-this-holiday-season

Holiday shopping has changed a lot in the last few years with major online shopping events from around the world gaining popularity in Australia. This year’s Black Friday and Cyber Monday sales were one of the biggest online shopping days in Australia, kicking off the pre-Christmas rush. Cyber Monday broke records in the US hitting US$3.45 billion in online sales, up 12 per cent from last year with Australia and the rest of the world following suit.

But with the increase in online holiday shopping comes a commensurate increase in the instances of fraud. Australian internet businesses suffer dramatically more card fraud than the global average, with online fraud rising by 38% between 2014 — 2015, compared to the global average of 13%.

It’s a lesser-known quirk of the financial industry that, unlike their brick-and-mortar counterparts, online businesses are responsible for not only detecting fraud, but also paying the associated costs. On average, every $1 of fraudulent orders costs an online business an additional $2.69. A couple of weeks ago a foreign syndicate was busted by the Australian Federal Police for the theft of more than 30,000 Australian credit cards, spending more than $30 million. A hefty sum, for sure, but nothing close to the US$32 billion that online retailers spent preventing and remediating hacks in 2015. Online businesses are also susceptible to a wider range of fraud schemes, including credit card fraud, payout scams and faux refunds.

So as the holiday sales kick off, what can online businesses do about it?

The basics: getting started with fraud prevention

To begin, businesses should examine the address verification code (a postcode that matches what’s on file with the cardholder’s bank), require a card verification code (the 3- or 4-digit code on their card), and delay shipping. The latter step is especially helpful for expensive items, as it provides a safety window when the actual cardholder might flag a large fraudulent purchase.

However, these checks aren’t foolproof: Legitimate customers can easily enter a typo in their street address or move and forget to update their billing zip code, resulting in false positives, and fraudsters are often able to buy stolen credit card numbers together with their card verification codes.

The next step is manual reviews: Many business rely on employees to audit transactions and create complex, custom rules (such as, “temporarily block all orders over $500 until reviewed and approved”). All of this sound pretty complicated and manual. The answer? Machine learning.

Let machines do the heavy-lifting

Thanks to recent advances in machine learning and AI, businesses today can analyse millions of online transactions and identify buying patterns across large numbers of retailers, spotting outliers in real-time and flagging odd charges long before a human analyst would spot a problem.

Sift Science offers machine-learning-based fraud detection trained on a business’s data; other tools like Riskified and Signifyd offer chargeback insurance, screening every charge for a fee, blocking suspicious purchase, and compensating their customers when they failed to block fraud.

Stripe’s fraud tool, Radar, constantly learns from the hundreds of thousands of businesses taking payments through Stripe around the world. This new approach enabled Watsi, a global funding platform for medical treatments, to block more than $40 million in attempted fraud over a two-month span, all with limited to no human involvement.

Don’t leave money on the table

Of course, the difficulty with fraud is that pre-emptively blocking too many transactions means foregoing legitimate purchases too. In theory, you could prevent fraud from Southeast Asia by blocking all transactions from Southeast Asia; but that approach means you’d also be foregoing legitimate transactions from one of the world’s most populous regions.

So even once you’ve implemented tools for preventing fraud, it’s important to remember that your ultimate goal isn’t blocking fraud — it’s maximizing revenue. This means you should:

  1. Consider multiple metrics: Don’t just focus on one metric like false positive rate (legitimate transactions that you’re blocking) or dispute rate. After all, you can easily make the former zero by not trying to catch any fraud (and the latter zero by not accepting any payments). Your overall fraud protection approach will offer a trade-off between false positives and false negatives, and you should understand what that trade-off is and what is optimal for your business. This break-even calculator can give you an example of the kind of calculations it can be helpful to do.
  1. Find your “healthy” dispute rate: Unsurprisingly, fraud varies by sector. For example, the median fraud rate for retail is 0.02 per cent, while for nonprofits it’s 0.1%. Once you know your industry’s rate, compare it to your business’ unique situation and data to identify a “healthy” fraud benchmark. Trying to drive your dispute rate far below what is natural for your sector can be more effort than it’s worth.
  1. Always be measuring: No matter what solution you choose, be rigorous in assessing efficacy. For example, if you’re manually customising rules, you can evaluate their performance by backtesting them or by running A/B tests in real-time. Don’t rely on intuition that tells you all payments from a certain region, or at a certain time of day, are fraudulent. Formulate your hypothesis and validate it with data!

On the internet, the only constant is change itself. As consumer behaviour and fraud schemes continue to evolve, businesses that want to maximise their revenue this holiday season — and year round — should be using modern fraud defences that can adapt and help them stay a step ahead of fraudsters.