In what appears to be the largest digital advertising scam in history, a group of Russian hackers reportedly built a click-fraud machine that stole up to $5 million daily from top advertisers and publishers. But even that is just the tip of the iceberg when it comes to online ad fraud.
Estimates are that billions of dollars are lost annually because of fraudulent clicks, fake traffic, and other scams. But because of the way the online-advertising market is structured, with several layers of middlemen and ad networks, there is little incentive to stop it.
In fact, the rise of sophisticated bot-nets and other forms of click fraud is part of the reason why less than half of all Internet ads are even seen by humans, according to a study done by online analytics firm comScore in 2013.
The latest scam involved a network of computers that pretended to be human web surfers so they could generate fake traffic to bogus websites and report fake clicks. It was discovered by a security firm called White Ops, which dubbed the “bot-net” operation Methbot, after a code word found in the program the hackers used to operate the network.
Get Data Sheet, Fortune’s technology newsletter.
According to White Ops, the combined financial impact of the fraud was several times larger than the largest previous “bot-net,” known as ZeroAccess, which was uncovered in 2011. The security firm estimated the hackers generated $3 million to $5 million daily in revenue.
The hackers registered hundreds of thousands of fake Internet addresses and then used a network of computers in Dallas and Amsterdam that were running the Methbot program to simulate normal human behavior such as clicking to start and stop videos and registering fake logins to sites like Facebook. All of this generated traffic and activity that was then reported to ad networks as real.
According to White Ops, the bot-net was “watching” as many as 300 million video ads daily on fake websites that the hackers had created to look like web pages from leading publishers such as the New York Times and CNN, by spoofing thousands of legitimate web addresses.
Although it may be the largest such scam, the Methbot operation is far from unusual. The online advertising market has been riddled with similar kinds of fraud for years. Some advertisers say bots make up as much as a third of the traffic they see on their ads.
According to an estimate earlier this year by the Association of National Advertisers, more than $7 billion will be lost this year to various kinds of digital-advertising fraud. And much of that is coming from ads involving video, since CPMs (or cost per thousand impressions, which is the way most online advertising is billed) are much higher for video.
“The level of criminal, non-human traffic literally robbing marketers’ brand-building investments is a travesty,” ANA president Bob Liodice said in a statement at the time the study was released.
Facebook’s fake news problem is worse than it looks:
Last year, an online security company said that it had identified an ad fraud “zombie army” called Xindi, a bot-net that it estimated would likely cost advertisers as much as $3 billion in 2015. The firm said as many as 8 million computers, many of them on corporate networks, had been infected.
Although Methbot had its own dedicated servers running its software, many bot-nets are constructed out of ordinary PCs owned by unsuspecting victims, who download “malware” or malicious programs from the Internet. Clicking on a link or a popup ad can install software in the background that then commandeers the computer for a variety of purposes.
There are many other kinds of ad fraud as well, apart from the bot-net driven kind that Methbot and others use. Some sites use what is called “pixel stuffing,” where large display ads are squished into a tiny square but are still counted as an impression. Others run multiple ads on top of each other in the same slot, so that only one can be seen at a time.
Advertising industry insiders say these and other tricks and scams are well known, and some ad networks and ad buyers are aware that their inventory and traffic numbers are being inflated by bot-nets, but as long as they are getting paid by their clients they don’t really care.
Ad fraudsters are also rarely prosecuted because they base their operations in countries where it is difficult for advertisers or even large digital players such as Google to go after them.