New York police have arrested yet another man suspected of running the clickfraud factory known as Methbot: a farm of 1,900 data servers rented to host 5,000 bogus websites and to concoct fictional traffic coming from fake visitors, thereby running up profits from advertising fraud.
Methbot got its name from White Ops, the bot mitigation firm that discovered the Russian/Kazakhstani cyberforgery ring in 2016.
In 2018, the US busted eight men from Russia and Kazakhstan, accusing them of running the vast ad-fraud scheme, which milked a total of $36 million from advertisers.
Two of the eight – Sergey Ovysannikov and Yevgeniy Timchenko – have since pleaded guilty. The alleged ringleader, Aleksandr Zhukov, plans to fight the charges. The rest of the suspects remain at large.
Now, more than a year after the eight men were arrested, the US has busted a ninth man, Sergey Denisoff. The affidavit supporting Denisoff’s arrest warrant was filed in US District Court in the Eastern District of New York on Friday. Here’s the court document, first spotted by Seamus Hughes and then posted courtesy of CyberScoop’s Jeff Stone.
According to White Ops, the scheme was controlled by a single group based in Russia that operated out of data centers in the US and Netherlands. They brought in $3 million to $5 million in counterfeit inventory per day by targeting the premium video advertising ecosystem.
Methbot was an illusion factory. As the affidavit describes, between September 2014 and December 2016, Denisoff’s alleged part was to operate an advertising network that purported to place ads on real webpages seen by real, human visitors. In fact, they were dummy webpages allegedly created by Denisoff and his buddies. They allegedly directed automated computers to visit those pages, so as to register ad views.
The Methbot operators ran what they claimed to be an advertising network which they dubbed Mediamethane. Meanwhile, Denisoff and others allegedly operated a purported advertising network called Plexious. Mediamethane was getting paid by other advertising networks – including Plexious – to place ad tags with publishers on behalf of those ad networks. Instead of putting those ad tags on real publishers’ sites, however, the defendants allegedly stuck them on computers on a server farm in Dallas.
Those servers were programmed to ape human internet activity, being programmed to automatically do things like move a mouse and scroll on a webpage. The Methbot defendants allegedly also created fraudulent entries in a global IP registry to hide the fact that its fake humans were all really computers in a server farm.
After White Ops – working for clients in the advertising industry – uncovered the fakery behind the traffic and the IP registrations, search warrants turned up programming code, allegedly shared by the defendants, for making sure their computers were using the right “browser” parameters. That’s “browser”, quote-unquote: an FBI agent said in the affidavit that it looked like the conspirators custom-designed an automatic web browser that could mimic signals sent by typical internet browsers run by real humans.
As the affidavit tells it, there was a lot of back and forth about that “browser”: How many clicks per hour? This many? What about per day? 10 clicks per day per IP? Argh! It downloaded 300 clicks in an hour! They’re clicking too fast! It has to be a bug. It should be 50-60 clicks per hour, total.
They also mastered the mimicry of humans watching videos: each video had to be clicked on and watched for 60-90 seconds in order to ensure that enough advertising was “watched” so they’d earn cuts of ad revenue.
The defendants allegedly used their ability to slip past fraud detection software as a selling point, advertising Mediamethane’s ability to provide “100% USA traffic” that could pass through cybersecurity “filters.”
Denisoff allegedly supplied the Methbot crew with fake domains and helped them slip past fraud-detection security software. He was in regular communication with alleged ringleader Zhukov.
When investigators interviewed him in October 2019, Denisoff voluntarily told them that he learned all about the advertising ecosystem when he was in college in 2011-2012. During that time, he and a friend launched an ad network they named Plexious that worked with other ad networks to source and resell ad traffic.
Plexious earned between $10 million and $12 million from 2012 to 2016, mostly from video traffic, Denisoff said during the interview.
When asked about the domains he sent to Zhukov, Denisoff said that c’mon, the advertising agencies and ad networks should have known that most people wouldn’t visit such domains to search for information. He kind of has a point: some of those dummy webpages had nothing but content copied from legitimate pages, and some had only the text that appears by default in webpage editors: “lorem ipsum.”
Does that make clickfraud OK? Nope, and Denisoff knew it. According to the affidavit, at one point, when discussing how to slip past security software, he allegedly suggested to Zhukov that they switch to instant-messaging on Jabber “before they put me in jail” – as in, “something without logs and access from the American law enforcement.”
Well, so much for the plan to go covert: after the FBI arrested Zhukov, during a raid in Bulgaria in November 2018, investigators found multiple Jabber conversations on Zhukov’s computer, dating back years, including with Denisoff.
Denisoff’s next hearing is scheduled for 3 February.
Beratung Consulting are dedicated to Security solutions and are a trusted Sophos Partner.