Methbot… Denied

Comments Off on Methbot… Denied

On December 20, the cybersecurity firm White Ops published a research report about “Methbot,” a Russian botnet that hosts content farms and generates nonhuman traffic to siphon off money from digital advertisers. Though similar in approach to other bad actors in the advertising ecosystem, Methbot attracted outsized attention given aggressive publicity by White Ops.

Based on a careful analysis, we can state with a high degree of certainty that AppNexus had very little exposure to Methbot. Over the past week, only $500 in spend on the AppNexus exchange flowed to the IPs that White Ops identified in its report, and in light of White Ops’ data, we have further tightened our inventory quality (IQ) detection parameters.

Looking more closely into the individual domains that were being spoofed by this particular scheme, we found the following notable domains (data are for the previous seven days, and showing Methbot impressions only):

Spoofed Domain (victim) Impressions Sent Impressions Transacted Total Media Cost ($) eCPM
Domain 1 1849693 818932 491.48 0.600147509
Domain 2 63348 23673 1.91 0.080682634
Domain 3 134729 64489 1.31 0.020313542
Domain 4 73298 8043 0.67 0.08330225


To be clear, none of the publishers was sending fraudulent traffic.

Beyond that, we are not able to corroborate many aspects of the White Ops report. While examining the ownership information of the IPs reported in their whitepaper, we found that many were not listed as Residential ISPs in the US (though there were a few). The majority were not using obviously forged WHOIS data (they were listed as datacenters or colocation facilities, not end user ISPs).

In addition, we were not able to confirm the CPMs reported in the White Ops report, suggesting the possibility of substantial overestimation of the scale of Methbot. Our data showed an average CPM of approximately $0.50, very far from the $13 average reported in the White Ops report. Of course, we do not have access to other companies’ data. Finally, we can report that while White Ops disclosed 852,992 IP addresses as part of the botnet, we saw traffic from 797,912 of them, though virtually all of these observed impressions were not transacted, largely due to detection from our existing IQ systems. In total, over the week, we saw 153 million impressions from the IPs reported by White Ops. For comparison, AppNexus sees 1.2 trillion impressions per week typically.

AppNexus’ position as the second-largest marketplace for digital advertising places us at the center of a global ecosystem. More to the point, our scale is a key asset in fighting bad behavior. We generate full sets of impression data on which to conduct analyses, whether an auction was won or not. Our data science team aggressively and consistently analyzes traffic patterns to identify invalid traffic and shut down offending IPs.

While “Methbot” proved a non-event for AppNexus, we will remain vigilant in preserving the safety and integrity of our marketplace. That means continued investments in data science and machine learning, marketplace practices that minimize opportunities or bad behavior, and a commitment to inventory quality and optimal supply paths.

Filed under Industry Perspectives.

Comments Off on Methbot… Denied

Comments are closed.