Methbot: A Call to Action

Yesterday’s White Ops report on a sophisticated ad-fraud operation identified as “Methbot” is a symbolic close to 2016. It signifies that while our industry has made great strides towards ad fraud detection and enhancing industry transparency, we have more work to do.

Index Exchange has a long-standing relationship with White Ops, and we’re proud to report that after a thorough investigation, we’ve had no notable exposure to Methbot. In fact, we’ve only seen 14 impressions against the 571,904 IP addresses identified by White Ops, over a December platform wide log pull, relative to billions of impressions delivered on the platform in the same timeframe.

I asked Michael Tiffany, CEO of White Ops, to weigh in on the report:

“Index Exchange works closely with us at White Ops, so we knew their operation was free from Methbot. They use a powerful combination of technology and business controls to achieve results. But we could also see that Methbot was succeeding on other platforms. The only way to end its ability to monetize everywhere was to arm everyone with the actionable data needed to stop serving Methbot’s bid requests on every platform.”

We must remember that this is not the first time a major botnet has been identified, nor will it be the last. In the past, the same series of events have occurred: lots of buzz and chatter, no bad actors are named, and we all move on with our lives — just to see this cycle repeat itself with little having changed from the previous incident.

As we enter 2017, this report should be the impetus for an industry call-to-arms. Index Exchange and several of our peers have implemented necessary controls to police our supply chains, and we are happy to see there are a growing number of exchanges proactively taking this step toward transparency. Those that aren’t need to speak up, as there are best practices being missed that need to be patched.

We’ve run the compromised IP list against our logs, and reported our results above. I now challenge the top 20 exchanges to perform the same exercise for the benefit of their publisher clients, and the buy side community.

I suggest DSPs, publishers, marketers and agencies take action as well to institute greater transparency in the industry.

DSPs: If no admittance of activity tied to these IP addresses is discovered by any major exchange, I implore major DSPs to facilitate their own investigation of exchange partners. This will provide a deeper set of checks and balances, and an opportunity to effectively check the supply side’s homework.

Publishers: Almost two years ago – this very month, I wrote a piece for AdExchanger discussing how publishers are often harmed by domain spoofing with their identities being misused in an external environment they can’t control (much like identity theft in the real world). For publishers looking to take matters into their own hands, I would recommend:

  • Publishers police their IP (domains = publisher intellectual property) by attempting to buy their portfolio of owned domains and assessing what exchanges are selling, via a DSP. If you see exchanges that you do not work with selling your domains, these exchanges are likely harboring bad actors, and facilitating spoofing, conducted by external sellers.
  • I recommend instituting the same exercise with your authorized exchange partners. The seats on your partner exchanges selling your domains should all be known to you, or they too could be harboring bad actors. Audit your partners, and understand who (hopefully just you) is selling traffic on your domains.

Marketers and Agencies: Leverage either your third party ad server or verification partner to perform the same exercise by looking back on purchased activity against these IP addresses and assess whether it was bought, what exposure it received, and the source it originated from.

My post from June 2014 about payee ID still resonates with the industry’s latest fraud case. These events continue to validate the importance of enhancing transparency in the supply chain so as an ecosystem we can stop harboring bad actors.

TAG CEO MIke Zaneis also provided his take:

“The issues of spoofing can be mitigated by increasing transparency in the digital advertising supply chain through solutions such as TAG’s Payment ID program which is being implemented now via the OpenRTB protocol. The program will engender greater transparency in the supply chain and will make these type of attacks much more difficult to execute.”

I encourage all publishers to reach out to TAG and implement its best practices to accelerate adoption in the ecosystem.

The fraud arms race will never end, but this instance just further proves that transparency is the best weapon we have to protect our supply chain, and as an industry – we need more of it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s