Yesterday IAB Tech Lab co-hosted a security briefing with the Trustworthy Accountability Group (TAG) after we were made aware of a new and potentially very significant fraud threat to the digital advertising supply chain. White Ops contacted us to discuss a hack which they dubbed “Methbot”, due to references to “meth” in its exploit code, a smart and interconnected “bot farm” that reached to the furthest depths of the advertising ecosystem.
I won’t belabor the details of the hack as you can find all the information on the White Ops website but we do want to call out things you can do now to fight against this threat.
If you are a DSP (Demand Side Platform), we recommend you follow this methodology:
- Take the IP range provided by White Ops, scan a recent day’s logs, and compute this aggregate:
Exchange ID, Publisher.ID, Domain, sum(bid_requests), sum(impressions), sum(revenue) - Use this information to do longitudinal reports looking back to October 2016 for any impressions and revenue totals associated with this inventory.
- Use the OpenRTB request’s Publisher object and the ID field within. This ID is the private ID from the Exchange that should uniquely identify the business entity that is getting paid.
If you are an Exchange/SSP (Supply Side Platform) we recommend you follow this methodology:
- Take the IP range provided by White Ops, scan a recent day’s logs, and compute this aggregate:
Exchange ID, Internal Publisher/Account ID, DSP ID, Domain, sum(bid_requests), sum(impressions), sum(revenue) - Use this information to do longitudinal reports looking back to October 2016 for any impressions and revenue totals associated with this inventory and the buyers DSPs that purchased it.
* Note that in addition to cutting off botnet via IP filtering, preparing this data set is critical to your strategy to stop the bad actors from getting paid. There is evidence that multiple supply sources and their clients are involved as intermediaries.
If you are a buyer (advertiser, agency, platform) and/or a publisher:
The compromised IP address list is where we as an industry should take action. Connect with your appropriate security vendors/partners to determine next steps for your business. White Ops also published a list of spoofed domains. To be clear the list does not mean the real branded sites are compromised. Buyers should not haphazardly block these domains. The Methbot event provided a proxy server that pointed to IP space owned by the Methbot hackers and they were hosting the URL. The publisher webserver never received the call. There are many branded sites on the list so use with caution when creating a blocklist.
Industry players have also reached out to the Tech Lab in regards to a “follow the money” process, i.e. who got paid and how. We look to our industry partners to share verified marketplace data/anecdotes with us to determine the ACTUAL monetary value of the exploit. Please email me at [email protected].
We want to reiterate that the valuation of the impressions provided by White Ops in partnership with AD/FIN was an estimate on impression value, not actual payments to bad actors. It could be that the IP addresses were blocked by the ad marketplaces due to past bad behavior for instance and nobody got paid. It seems from the White Ops report that private marketplaces were more affected than the open market and this may be because restrictions were lifted due to the trusted nature of the transaction.
Ways bad actors DO infiltrate marketplaces:
- Create fake business entities. These entities have actual seats in a marketplace and usually have a mixture of real and spoofed inventory. In this case the fake entity gets paid if not caught by the exchange/SSP.
- Self service UIs where can you sign up as a publisher and get paid automatically (no human interaction). While there may be checks in place because of the sophistication of this operation the bad actors may have been overlooked.
- Infiltrate real marketplace seats and inject hijacked ads. In this case the misdirection of the ad itself usually is the goal.
- Direct deals are not immune. If a publisher is syndicating traffic it opens them up to hijacked ads and it gives bad actors a platform with which to create spoofed traffic as they intermingle the real inventory with the fake. This is especially true with video syndication if the actual video player is placed on syndicated sites.
The IAB Tech Lab, our members, and our Founders Board value our close partnership with the Trustworthy Accountability Group. Their TAG ID solution will help us get much closer to a tracking system for events such as these. As I said on the conference call yesterday, we urge the advertising community to join TAG and help us fight these ongoing security battles. Equally important is for the Tech Lab to continue working on creating software and tools that help TAG in their efforts.
Onwards and upwards or as a good friend always says “Front toward enemy.”
With contributions from Sam Cox, Google; Jared Lansky, Sourcepoint; Rachel Nyswander Thomas, TAG; Dr. Neal Richter, Hebbian.io; and Michael Tiffany, White Ops.