Russian scammers have built the most lucrative ad fraud operation on record, according to security researchers at the fraud-fighting firm White Ops.
The cybercriminals developed an army of automated web browsers, dubbed “Methbot” by the researchers, that stole millions of dollars per day from the biggest advertisers on the web, according to White Ops. The ring has been raking in $3 million to $5 million per day by the researchers’ estimates, a sum that is three times greater than the daily revenues generated by ZeroAccess, the next most profitable known advertising “botnet,” or network of zombie machines, which another set of researchers discovered in 2011.
Unlike most botnets, which infect consumers’ computers with malicious software and turn them into ad-guzzling fiends, Methbot consists of custom software running on servers in data centers in Dallas and Amsterdam. The operators took considerable measures to cloak this so-called bot farm.
Get Data Sheet, Fortune’s daily technology newsletter.
To fool fraud detectors and blacklists, the scammers acquired some 600,000 legitimate-seeming IP addresses, the researchers said. The hackers did so by compromising two out of the five of the world’s regional Internet registries, organizations across the globe that assign IP addresses.
The gang then registered these IP addresses to real Internet service providers, including Verizon (VZ), Comcast (CMCSA), and Spectrum (CHTR), to make it seem as though they were regular Internet users. Next, they commanded their masked bots to generate 200 million to 300 million bogus impressions per day on premium video ads.
While advertisers thought they were advertising on real websites, they were in fact buying counterfeit ad inventory on facsimile sites visited by bots. The researchers report that the scam affected more than 6,000 top publishers’ websites, including the Huffington Post, The Economist, ESPN, Vogue, CBS Sports, Fox News, even Fortune.
“We’ve never seen an operation this sophisticated,” said Michael Tiffany, CEO and cofounder of White Ops, on a call with Fortune.
For more on online scams, watch:
White Ops discovered the scheme after observing a simple bot mutate and grow into the more expansive operation between September and October of this year. The scam was still operational in December, raking in millions per day at that time, the company said.
White Ops, which has taken steps to block the attack for its customers, decided to release information about the scam so that publishers, advertisers, ad networks, and others could determine whether they had been affected and to halt the operation. The company said it recommends blocking the IP addresses and URLs associated with the fraudsters (see the whiteops.com website for more details).
Geir Magnusson Jr., the former chief technology officer of AppNexus, one of the world’s biggest online ad exchanges, told Fortune in an email that “this is the most sophisticated [ad fraud scheme] I’ve seen. The techniques used are very smart, designed to elegantly fool anti-fraud systems.”
In addition to using legit IP addresses routed through real Internet service providers, the scammers coded their bots to have sophisticated behaviors, such as fake clicks, mouse movements, and social network logins, to evade detection by fraud analyzers.
Magnusson Jr. told Fortune that ad tech companies need to collaborate more, and share techniques and intelligence to stay ahead of fraudsters. “Given the amount of money flowing in the system, it’s going to remain a target,” he said.
