Report: $3-5M in Ad Fraud Daily from ?Methbot?
 

https://krebsonsecurity.com/2016/12/...-from-methbot/


Still, All that bot traffic probably converts better than all the free porn tubes out there.

White Paper on Methbot with more technical details.
http://go.whiteops.com/rs/179-SQE-82...eration_WP.pdf

I wonder how well they compare to all the fake engagement cash created by SMM bot networks.

How are they getting around the IP address issue?..

Wonder why they chose to use "real" IPs (that could possibly stick out because the neighbouring IPs/IP blocks host servers and websites) rather than just create a custom botnet.

They made it look like it was owned by Tmobile, verizon etc...

They run only on video ads?

I read about this but I think they are pulling numbers out of their ass.

Russian Mafia (Pootin Pals?)

barry@paragon-DS-7:~$ curl ipinfo.io/161.8.252.0
{
"ip": "161.8.252.0",
"hostname": "No Hostname",
"city": "Dallas",
"region": "Texas",
"country": "US",
"loc": "32.7787,-96.8217",
"org": "AS8888 LLC RU-service",
"postal": "75270"
}barry@paragon-DS-7:~$ curl ipinfo.io/196.62.126.117
{
"ip": "196.62.126.117",
"hostname": "No Hostname",
"city": "Dallas",
"region": "Texas",
"country": "US",
"loc": "32.7831,-96.8067",
"org": "AS40824 WZ Communications Inc.",
"phone": "214"
}barry@paragon-DS-7:~$ whois 161.8.252.0



NetRange: 161.8.0.0 - 161.9.255.255
CIDR: 161.8.0.0/15
NetName: RIPE-ERX-161-8-0-0
NetHandle: NET-161-8-0-0-1
Parent: NET161 (NET-161-0-0-0-0)
NetType: Early Registrations, Transferred to RIPE NCC
OriginAS:
Organization: RIPE Network Coordination Centre (RIPE)
RegDate: 2004-02-18
Updated: 2004-02-18
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at Database Query ? RIPE Network Coordination Centre
Ref: https://whois.arin.net/rest/net/NET-161-8-0-0-1

ResourceLink: https://apps.db.ripe.net/search/query.html
ResourceLink: whois.ripe.net

OrgName: RIPE Network Coordination Centre
OrgId: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
RegDate:
Updated: 2013-07-29
Ref: https://whois.arin.net/rest/org/RIPE

ReferralServer: whois://whois.ripe.net
ResourceLink: https://apps.db.ripe.net/search/query.html

OrgTechHandle: RNO29-ARIN
OrgTechName: RIPE NCC Operations
OrgTechPhone: +31 20 535 4444
OrgTechEmail: [email protected]
OrgTechRef: https://whois.arin.net/rest/poc/RNO29-ARIN

OrgAbuseHandle: ABUSE3850-ARIN
OrgAbuseName: Abuse Contact
OrgAbusePhone: +31205354444
OrgAbuseEmail: [email protected]
OrgAbuseRef: https://whois.arin.net/rest/poc/ABUSE3850-ARIN

Found a referral to whois.ripe.net.

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '161.8.0.0 - 161.8.255.255'

% Abuse contact for '161.8.0.0 - 161.8.255.255' is '[email protected]'

inetnum: 161.8.0.0 - 161.8.255.255
netname: MAGNITKA
org: ORG-MMK2-RIPE
descr: OOO MMK-Informservice
descr: Pushkina str. 2
descr: Mgnitogorsk, 455019
country: RU
admin-c: AIS56-RIPE
tech-c: AIS56-RIPE
status: LEGACY
remarks: For information on "status:" attribute read https://www.ripe.net/data-tools/db/f...gacy-resources
mnt-by: MMKMGN-MNT
mnt-lower: MMKMGN-MNT
mnt-routes: MMKMGN-MNT
created: 2004-01-20T10:47:24Z
last-modified: 2016-10-04T11:24:12Z
source: RIPE

organisation: ORG-MMK2-RIPE
org-name: OAO Magnitogorsk Iron and Steel Works
org-type: OTHER
address: Pushkina street, 2
address: Magnitogorsk 455019
abuse-c: RD6100-RIPE
mnt-ref: ROSNIIROS-MNT
mnt-by: MMKMGN-MNT
mnt-by: ROSNIIROS-MNT
created: 2011-01-18T18:59:15Z
last-modified: 2015-07-20T08:24:07Z
source: RIPE # Filtered

person: Alexey I Stepanenko
address: Magnitogorsk Iron and Steel Works (MMK)
address: Open Joint Stock Company
address: Pushkina st. 2 Russia
phone: +7 3519 258912
abuse-mailbox: [email protected]
nic-hdl: AIS56-RIPE
created: 2003-10-29T11:15:54Z
last-modified: 2013-12-18T06:07:28Z
source: RIPE # Filtered
mnt-by: MMKMGN-MNT

% This query was served by the RIPE Database Query Service version 1.88 (WAGYU)
======================

barry@paragon-DS-7:~$ whois 196.62.126.117
% This is the AfriNIC Whois server.

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '196.62.96.0 - 196.62.127.255'

% No abuse contact registered for 196.62.96.0 - 196.62.127.255

inetnum: 196.62.96.0 - 196.62.127.255
netname: ATT
descr: AT&T Services, Inc.
country: US
admin-c: IP9-AFRINIC
tech-c: IP9-AFRINIC
status: ASSIGNED PA
mnt-by: IP-ADMIN
mnt-lower: IP-ADMIN
mnt-domains: IP-ADMIN
mnt-routes: IP-ADMIN
source: AFRINIC # Filtered
parent: 196.62.0.0 - 196.62.255.255

person: IP Admin
address: IP Admin
phone: +2482534202
nic-hdl: IP9-AFRINIC
source: AFRINIC # Filtered



Reassigned IP ASN Blocks

The hi-tech ad industry :1orglaugh

Nice scam and a great return -- you think they will prosecute them in Russia?

Those IPs were listed in the body of that story.

:1orglaugh Well done! :thumbsup

Is it difficult to code a browsers? Why node.js? Does it run on multiple platforms?, like Java.

Nodejs can run anywhere, also there are a number of headless browsers based on nodejs for unit testing. I'd be surprised if their browser wasn't based on something like Casper to start with.

Very cool. I may try some node.js.

Node is fun to play with...

Yeah but even a minor investigation of a few IPs by someone half skilled would throw up immediate red flags - IPs are allocated from a different regional registry (not ARIN), and the block is routed to Eastern Europe... :1orglaugh

Guess it was one of those "good enough for now, improve it later" things.