News Report: $3-5M in Ad Fraud Daily from ?Methbot? - GoFuckYourself.com

deonbell · 12-22-2016, 12:02 AM

https://krebsonsecurity.com/2016/12/...-from-methbot/

Quote:

White Ops dubbed the video ad fraud network “Methbot,” and says the individuals at the helm of this network are spending upwards of $200,000 a month just maintaining a fully automated fraud network that imitates real Web site publishers showing real viewers video-based advertisements.

Quote:

“They’ve written their own browser from scratch in Javascript, and this allows them to arbitrarily control the information that gets fed back to the ad networks and to companies like us who try to detect this stuff,” Castellucci said. “This has allowed Methbot to scale to beyond anything the industry has seen before, putting it in a new class of ad fraud.”

Still, All that bot traffic probably converts better than all the free porn tubes out there.

deonbell · 12-22-2016, 12:22 AM

White Paper on Methbot with more technical details.
http://go.whiteops.com/rs/179-SQE-82...eration_WP.pdf

Quote:

Methbot uses custom software running
on server-based infrastructure with
dedicated IP space. White Ops detection
technology was able to use a JavaScript
language feature called “reflection” to
gather extensive, detailed information
about its inner workings. The bot runs
under Node.js, and uses several open
source libraries to add other features.

$5 submissions · 12-22-2016, 03:00 AM

I wonder how well they compare to all the fake engagement cash created by SMM bot networks.

EddyTheDog · 12-22-2016, 03:43 AM

How are they getting around the IP address issue?..

rowan · 12-22-2016, 05:35 AM

Quote:

Originally Posted by EddyTheDog

How are they getting around the IP address issue?..

Wonder why they chose to use "real" IPs (that could possibly stick out because the neighbouring IPs/IP blocks host servers and websites) rather than just create a custom botnet.

Horatio Caine · 12-22-2016, 08:29 AM

Quote:

Originally Posted by rowan

Wonder why they chose to use "real" IPs (that could possibly stick out because the neighbouring IPs/IP blocks host servers and websites) rather than just create a custom botnet.

They made it look like it was owned by Tmobile, verizon etc...

Her-Sson · 12-22-2016, 08:46 AM

They run only on video ads?

crockett · 12-22-2016, 08:46 AM

I read about this but I think they are pulling numbers out of their ass.

Barry-xlovecam · 12-22-2016, 08:49 AM

Russian Mafia (Pootin Pals?)

barry@paragon-DS-7:~$ curl ipinfo.io/161.8.252.0
{
"ip": "161.8.252.0",
"hostname": "No Hostname",
"city": "Dallas",
"region": "Texas",
"country": "US",
"loc": "32.7787,-96.8217",
"org": "AS8888 LLC RU-service",
"postal": "75270"
}barry@paragon-DS-7:~$ curl ipinfo.io/196.62.126.117
{
"ip": "196.62.126.117",
"hostname": "No Hostname",
"city": "Dallas",
"region": "Texas",
"country": "US",
"loc": "32.7831,-96.8067",
"org": "AS40824 WZ Communications Inc.",
"phone": "214"
}barry@paragon-DS-7:~$ whois 161.8.252.0

NetRange: 161.8.0.0 - 161.9.255.255
CIDR: 161.8.0.0/15
NetName: RIPE-ERX-161-8-0-0
NetHandle: NET-161-8-0-0-1
Parent: NET161 (NET-161-0-0-0-0)
NetType: Early Registrations, Transferred to RIPE NCC
OriginAS:
Organization: RIPE Network Coordination Centre (RIPE)
RegDate: 2004-02-18
Updated: 2004-02-18
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at Database Query ? RIPE Network Coordination Centre
Ref: https://whois.arin.net/rest/net/NET-161-8-0-0-1

ResourceLink: https://apps.db.ripe.net/search/query.html
ResourceLink: whois.ripe.net

OrgName: RIPE Network Coordination Centre
OrgId: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
RegDate:
Updated: 2013-07-29
Ref: https://whois.arin.net/rest/org/RIPE

ReferralServer: whois://whois.ripe.net
ResourceLink: https://apps.db.ripe.net/search/query.html

OrgTechHandle: RNO29-ARIN
OrgTechName: RIPE NCC Operations
OrgTechPhone: +31 20 535 4444
OrgTechEmail: [email protected]
OrgTechRef: https://whois.arin.net/rest/poc/RNO29-ARIN

OrgAbuseHandle: ABUSE3850-ARIN
OrgAbuseName: Abuse Contact
OrgAbusePhone: +31205354444
OrgAbuseEmail: [email protected]
OrgAbuseRef: https://whois.arin.net/rest/poc/ABUSE3850-ARIN

Found a referral to whois.ripe.net.

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '161.8.0.0 - 161.8.255.255'

% Abuse contact for '161.8.0.0 - 161.8.255.255' is '[email protected]'

inetnum: 161.8.0.0 - 161.8.255.255
netname: MAGNITKA
org: ORG-MMK2-RIPE
descr: OOO MMK-Informservice
descr: Pushkina str. 2
descr: Mgnitogorsk, 455019
country: RU
admin-c: AIS56-RIPE
tech-c: AIS56-RIPE
status: LEGACY
remarks: For information on "status:" attribute read https://www.ripe.net/data-tools/db/f...gacy-resources
mnt-by: MMKMGN-MNT
mnt-lower: MMKMGN-MNT
mnt-routes: MMKMGN-MNT
created: 2004-01-20T10:47:24Z
last-modified: 2016-10-04T11:24:12Z
source: RIPE

organisation: ORG-MMK2-RIPE
org-name: OAO Magnitogorsk Iron and Steel Works
org-type: OTHER
address: Pushkina street, 2
address: Magnitogorsk 455019
abuse-c: RD6100-RIPE
mnt-ref: ROSNIIROS-MNT
mnt-by: MMKMGN-MNT
mnt-by: ROSNIIROS-MNT
created: 2011-01-18T18:59:15Z
last-modified: 2015-07-20T08:24:07Z
source: RIPE # Filtered

person: Alexey I Stepanenko
address: Magnitogorsk Iron and Steel Works (MMK)
address: Open Joint Stock Company
address: Pushkina st. 2 Russia
phone: +7 3519 258912
abuse-mailbox: [email protected]
nic-hdl: AIS56-RIPE
created: 2003-10-29T11:15:54Z
last-modified: 2013-12-18T06:07:28Z
source: RIPE # Filtered
mnt-by: MMKMGN-MNT

% This query was served by the RIPE Database Query Service version 1.88 (WAGYU)
======================

barry@paragon-DS-7:~$ whois 196.62.126.117
% This is the AfriNIC Whois server.

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '196.62.96.0 - 196.62.127.255'

% No abuse contact registered for 196.62.96.0 - 196.62.127.255

inetnum: 196.62.96.0 - 196.62.127.255
netname: ATT
descr: AT&T Services, Inc.
country: US
admin-c: IP9-AFRINIC
tech-c: IP9-AFRINIC
status: ASSIGNED PA
mnt-by: IP-ADMIN
mnt-lower: IP-ADMIN
mnt-domains: IP-ADMIN
mnt-routes: IP-ADMIN
source: AFRINIC # Filtered
parent: 196.62.0.0 - 196.62.255.255

person: IP Admin
address: IP Admin
phone: +2482534202
nic-hdl: IP9-AFRINIC
source: AFRINIC # Filtered

Reassigned IP ASN Blocks

The hi-tech ad industry

Nice scam and a great return -- you think they will prosecute them in Russia?

Those IPs were listed in the body of that story.

Bladewire · 12-22-2016, 09:03 AM

Quote:

Originally Posted by Barry-xlovecam

Russian Mafia (Pootin Pals?)

barry@paragon-DS-7:~$ curl ipinfo.io/161.8.252.0
{
"ip": "161.8.252.0",
"hostname": "No Hostname",
"city": "Dallas",
"region": "Texas",
"country": "US",
"loc": "32.7787,-96.8217",
"org": "AS8888 LLC RU-service",
"postal": "75270"
}barry@paragon-DS-7:~$ curl ipinfo.io/196.62.126.117
{
"ip": "196.62.126.117",
"hostname": "No Hostname",
"city": "Dallas",
"region": "Texas",
"country": "US",
"loc": "32.7831,-96.8067",
"org": "AS40824 WZ Communications Inc.",
"phone": "214"
}barry@paragon-DS-7:~$ whois 161.8.252.0

NetRange: 161.8.0.0 - 161.9.255.255
CIDR: 161.8.0.0/15
NetName: RIPE-ERX-161-8-0-0
NetHandle: NET-161-8-0-0-1
Parent: NET161 (NET-161-0-0-0-0)
NetType: Early Registrations, Transferred to RIPE NCC
OriginAS:
Organization: RIPE Network Coordination Centre (RIPE)
RegDate: 2004-02-18
Updated: 2004-02-18
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at Database Query ? RIPE Network Coordination Centre
Ref: https://whois.arin.net/rest/net/NET-161-8-0-0-1

ResourceLink: https://apps.db.ripe.net/search/query.html
ResourceLink: whois.ripe.net

OrgName: RIPE Network Coordination Centre
OrgId: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
RegDate:
Updated: 2013-07-29
Ref: https://whois.arin.net/rest/org/RIPE

ReferralServer: whois://whois.ripe.net
ResourceLink: https://apps.db.ripe.net/search/query.html

OrgTechHandle: RNO29-ARIN
OrgTechName: RIPE NCC Operations
OrgTechPhone: +31 20 535 4444
OrgTechEmail: [email protected]
OrgTechRef: https://whois.arin.net/rest/poc/RNO29-ARIN

OrgAbuseHandle: ABUSE3850-ARIN
OrgAbuseName: Abuse Contact
OrgAbusePhone: +31205354444
OrgAbuseEmail: [email protected]
OrgAbuseRef: https://whois.arin.net/rest/poc/ABUSE3850-ARIN

Found a referral to whois.ripe.net.

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '161.8.0.0 - 161.8.255.255'

% Abuse contact for '161.8.0.0 - 161.8.255.255' is '[email protected]'

inetnum: 161.8.0.0 - 161.8.255.255
netname: MAGNITKA
org: ORG-MMK2-RIPE
descr: OOO MMK-Informservice
descr: Pushkina str. 2
descr: Mgnitogorsk, 455019
country: RU
admin-c: AIS56-RIPE
tech-c: AIS56-RIPE
status: LEGACY
remarks: For information on "status:" attribute read https://www.ripe.net/data-tools/db/f...gacy-resources
mnt-by: MMKMGN-MNT
mnt-lower: MMKMGN-MNT
mnt-routes: MMKMGN-MNT
created: 2004-01-20T10:47:24Z
last-modified: 2016-10-04T11:24:12Z
source: RIPE

organisation: ORG-MMK2-RIPE
org-name: OAO Magnitogorsk Iron and Steel Works
org-type: OTHER
address: Pushkina street, 2
address: Magnitogorsk 455019
abuse-c: RD6100-RIPE
mnt-ref: ROSNIIROS-MNT
mnt-by: MMKMGN-MNT
mnt-by: ROSNIIROS-MNT
created: 2011-01-18T18:59:15Z
last-modified: 2015-07-20T08:24:07Z
source: RIPE # Filtered

person: Alexey I Stepanenko
address: Magnitogorsk Iron and Steel Works (MMK)
address: Open Joint Stock Company
address: Pushkina st. 2 Russia
phone: +7 3519 258912
abuse-mailbox: [email protected]
nic-hdl: AIS56-RIPE
created: 2003-10-29T11:15:54Z
last-modified: 2013-12-18T06:07:28Z
source: RIPE # Filtered
mnt-by: MMKMGN-MNT

% This query was served by the RIPE Database Query Service version 1.88 (WAGYU)
======================

barry@paragon-DS-7:~$ whois 196.62.126.117
% This is the AfriNIC Whois server.

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '196.62.96.0 - 196.62.127.255'

% No abuse contact registered for 196.62.96.0 - 196.62.127.255

inetnum: 196.62.96.0 - 196.62.127.255
netname: ATT
descr: AT&T Services, Inc.
country: US
admin-c: IP9-AFRINIC
tech-c: IP9-AFRINIC
status: ASSIGNED PA
mnt-by: IP-ADMIN
mnt-lower: IP-ADMIN
mnt-domains: IP-ADMIN
mnt-routes: IP-ADMIN
source: AFRINIC # Filtered
parent: 196.62.0.0 - 196.62.255.255

person: IP Admin
address: IP Admin
phone: +2482534202
nic-hdl: IP9-AFRINIC
source: AFRINIC # Filtered

Reassigned IP ASN Blocks

The hi-tech ad industry

Nice scam and a great return -- you think they will prosecute them in Russia?

Those IPs were listed in the body of that story.

Well done!

deonbell · 12-22-2016, 02:33 PM

Is it difficult to code a browsers? Why node.js? Does it run on multiple platforms?, like Java.

shake · 12-22-2016, 03:20 PM

Quote:

Originally Posted by deonbell

Is it difficult to code a browsers? Why node.js? Does it run on multiple platforms?, like Java.

Nodejs can run anywhere, also there are a number of headless browsers based on nodejs for unit testing. I'd be surprised if their browser wasn't based on something like Casper to start with.

deonbell · 12-22-2016, 03:29 PM

Quote:

Originally Posted by shake

Nodejs can run anywhere, also there are a number of headless browsers based on nodejs for unit testing. I'd be surprised if their browser wasn't based on something like Casper to start with.

Very cool. I may try some node.js.

EddyTheDog · 12-22-2016, 03:36 PM

Quote:

Originally Posted by deonbell

Very cool. I may try some node.js.

Node is fun to play with...

rowan · 12-22-2016, 05:48 PM

Quote:

Originally Posted by Horatio Caine

They made it look like it was owned by Tmobile, verizon etc...

Yeah but even a minor investigation of a few IPs by someone half skilled would throw up immediate red flags - IPs are allocated from a different regional registry (not ARIN), and the block is routed to Eastern Europe...

Guess it was one of those "good enough for now, improve it later" things.

12-22-2016, 03:00 AM	#3
$5 submissions I help you SUCCEED Industry Role: Join Date: Nov 2003 Location: The Pearl of the Orient Seas Posts: 32,195	I wonder how well they compare to all the fake engagement cash created by SMM bot networks. __________________ Need a NON-ADULT income stream? We build your YOUTUBE CHANNEL for only $20 per video! For Hire: $3/hour or $400 per month Marketing Specialist Virtual Assistants

12-22-2016, 08:46 AM	#8
crockett in a van by the river Industry Role: Join Date: May 2003 Posts: 76,806	I read about this but I think they are pulling numbers out of their ass. __________________ In November, you can vote for America's next president or its first dictator.

12-22-2016, 02:33 PM	#11
deonbell Confirmed User Industry Role: Join Date: Sep 2015 Posts: 1,045	Is it difficult to code a browsers? Why node.js? Does it run on multiple platforms?, like Java. __________________ Fake Naked Celebrity Sex Gallery

12-22-2016, 03:43 AM	#4
EddyTheDog Just Doing My Own Thing Industry Role: Join Date: Jan 2011 Location: London, Spain, New Zealand, GFY - Not Croydon... Posts: 25,045	How are they getting around the IP address issue?..

12-22-2016, 08:46 AM	#7
Her-Sson Confirmed User Industry Role: Join Date: Nov 2016 Posts: 144	They run only on video ads?

12-22-2016, 08:49 AM	#9
Barry-xlovecam It's 42 Industry Role: Join Date: Jun 2010 Location: Global Posts: 18,083	Russian Mafia (Pootin Pals?) barry@paragon-DS-7:~$ curl ipinfo.io/161.8.252.0 { "ip": "161.8.252.0", "hostname": "No Hostname", "city": "Dallas", "region": "Texas", "country": "US", "loc": "32.7787,-96.8217", "org": "AS8888 LLC RU-service", "postal": "75270" }barry@paragon-DS-7:~$ curl ipinfo.io/196.62.126.117 { "ip": "196.62.126.117", "hostname": "No Hostname", "city": "Dallas", "region": "Texas", "country": "US", "loc": "32.7831,-96.8067", "org": "AS40824 WZ Communications Inc.", "phone": "214" }barry@paragon-DS-7:~$ whois 161.8.252.0 NetRange: 161.8.0.0 - 161.9.255.255 CIDR: 161.8.0.0/15 NetName: RIPE-ERX-161-8-0-0 NetHandle: NET-161-8-0-0-1 Parent: NET161 (NET-161-0-0-0-0) NetType: Early Registrations, Transferred to RIPE NCC OriginAS: Organization: RIPE Network Coordination Centre (RIPE) RegDate: 2004-02-18 Updated: 2004-02-18 Comment: These addresses have been further assigned to users in Comment: the RIPE NCC region. Contact information can be found in Comment: the RIPE database at Database Query ? RIPE Network Coordination Centre Ref: https://whois.arin.net/rest/net/NET-161-8-0-0-1 ResourceLink: https://apps.db.ripe.net/search/query.html ResourceLink: whois.ripe.net OrgName: RIPE Network Coordination Centre OrgId: RIPE Address: P.O. Box 10096 City: Amsterdam StateProv: PostalCode: 1001EB Country: NL RegDate: Updated: 2013-07-29 Ref: https://whois.arin.net/rest/org/RIPE ReferralServer: whois://whois.ripe.net ResourceLink: https://apps.db.ripe.net/search/query.html OrgTechHandle: RNO29-ARIN OrgTechName: RIPE NCC Operations OrgTechPhone: +31 20 535 4444 OrgTechEmail: [email protected] OrgTechRef: https://whois.arin.net/rest/poc/RNO29-ARIN OrgAbuseHandle: ABUSE3850-ARIN OrgAbuseName: Abuse Contact OrgAbusePhone: +31205354444 OrgAbuseEmail: [email protected] OrgAbuseRef: https://whois.arin.net/rest/poc/ABUSE3850-ARIN Found a referral to whois.ripe.net. % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '161.8.0.0 - 161.8.255.255' % Abuse contact for '161.8.0.0 - 161.8.255.255' is '[email protected]' inetnum: 161.8.0.0 - 161.8.255.255 netname: MAGNITKA org: ORG-MMK2-RIPE descr: OOO MMK-Informservice descr: Pushkina str. 2 descr: Mgnitogorsk, 455019 country: RU admin-c: AIS56-RIPE tech-c: AIS56-RIPE status: LEGACY remarks: For information on "status:" attribute read https://www.ripe.net/data-tools/db/f...gacy-resources mnt-by: MMKMGN-MNT mnt-lower: MMKMGN-MNT mnt-routes: MMKMGN-MNT created: 2004-01-20T10:47:24Z last-modified: 2016-10-04T11:24:12Z source: RIPE organisation: ORG-MMK2-RIPE org-name: OAO Magnitogorsk Iron and Steel Works org-type: OTHER address: Pushkina street, 2 address: Magnitogorsk 455019 abuse-c: RD6100-RIPE mnt-ref: ROSNIIROS-MNT mnt-by: MMKMGN-MNT mnt-by: ROSNIIROS-MNT created: 2011-01-18T18:59:15Z last-modified: 2015-07-20T08:24:07Z source: RIPE # Filtered person: Alexey I Stepanenko address: Magnitogorsk Iron and Steel Works (MMK) address: Open Joint Stock Company address: Pushkina st. 2 Russia phone: +7 3519 258912 abuse-mailbox: [email protected] nic-hdl: AIS56-RIPE created: 2003-10-29T11:15:54Z last-modified: 2013-12-18T06:07:28Z source: RIPE # Filtered mnt-by: MMKMGN-MNT % This query was served by the RIPE Database Query Service version 1.88 (WAGYU) ====================== barry@paragon-DS-7:~$ whois 196.62.126.117 % This is the AfriNIC Whois server. % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '196.62.96.0 - 196.62.127.255' % No abuse contact registered for 196.62.96.0 - 196.62.127.255 inetnum: 196.62.96.0 - 196.62.127.255 netname: ATT descr: AT&T Services, Inc. country: US admin-c: IP9-AFRINIC tech-c: IP9-AFRINIC status: ASSIGNED PA mnt-by: IP-ADMIN mnt-lower: IP-ADMIN mnt-domains: IP-ADMIN mnt-routes: IP-ADMIN source: AFRINIC # Filtered parent: 196.62.0.0 - 196.62.255.255 person: IP Admin address: IP Admin phone: +2482534202 nic-hdl: IP9-AFRINIC source: AFRINIC # Filtered Reassigned IP ASN Blocks The hi-tech ad industry Nice scam and a great return -- you think they will prosecute them in Russia? Those IPs were listed in the body of that story.