November 27, 2018Swati Khandelwal
Google, the FBI, ad-fraud fighting company WhiteOps and a collection of
cyber security companies worked together to shut down one of the largest
and most sophisticated digital ad-fraud schemes that infected over 1.7
million computers to generate fake clicks used to defraud online
advertisers for years and made tens of millions of dollars in revenue.
Dubbed 3ve (pronounced “Eve”), the online ad-fraud campaign is believed to have been active since at least 2014, but its fraudulent activity grew last year, turning it into a large-scale business and earning their operators more than $30 million in profit.
Meanwhile, the United States Department of Justice (DoJ) also unsealed Tuesday a 13-count indictment against 8 people from Russia, Kazakhstan, and Ukraine who allegedly ran this massive online advertising scheme.
The 3ve botnet scheme deployed different tactics, such as creating their own botnets, creating fake versions of both websites and visitors, selling fraudulent ad inventory to advertisers, hijacking Border Gateway Protocol (BGP) IP addresses, using proxies to hide real IP addresses, and infecting users PCs with malware—all to create or generate fake clicks over online ads and get paid.
“Tech-savvy fraudsters try to produce fake traffic and fraudulent ad inventory to trick advertisers into believing that their ads are being seen by actual, interested users,” WhiteOps researchers said.
3ve involved 1.7 million computers infected with malware, over 80
servers in generating fake internet traffic, more than 10,000
counterfeit websites to impersonate legitimate web publishers, and over
60,000 accounts selling ad inventory via more than one million
compromised IP addresses to generate 3 to 12 billion of daily ad bid
requests at its peak.
3ve Ad Fraud Operation – Types and Working
According to Google and multiple cybersecurity firms, the ad-fraud
scheme has been named 3ve because it relies on a set of three distinct
sub-operations, “each taking unique measures to avoid detection, and
each built around different architectures using different components.”
“Its operators constantly adopted new ways to disguise 3ve’s bots, allowing the operation to continue growing even after their traffic was blacklisted. Whenever they were blocked off in one place, they’d reappear somewhere else,” Google said.
Here’s a brief overview of all three 3ve operations:
3VE.1—The BOAXXE Malware Scheme, aka METHBOT or MIUREF
The first 3ve’s three ad fraud sub-operations, called 3ve.1 for the sake
of clarity, was powered by a network of bots operating in data centers
across the US and Europe.
This operation used the Boaxxe botnet, also known as Miuref and
Methbot, and BGP hijacking to obtain IP addresses used for proxying the
traffic from the infected devices in the data centers and visit fake and
real web pages.
Initially, all the fake ad requests originated from desktop browsers, but over time, this operation increasingly started relying on spoofed mobile traffic from Android devices—ad-requests spoofed to look like they came either from mobile apps or from mobile browsers.
Between September 2014 and December 2016, this scheme used 1,900 computer servers hosted in commercial data centers to load ads from advertisers on over 5,000 counterfeit websites, generating millions of dollars in profit for its operators.
3VE.2—The KOVTER Malware Scheme
This approach used counterfeit domains to sell fake ad inventory to
advertisers. However, instead of relying on proxies to hide its
activities, this approach deployed a hidden, custom browsing agent
(Chromium Embedded Framework) on more than 700,000 computers infected
with the Kovter malware.
This scheme made use of redirection servers that instructed the infected computers to visit specific fake web pages.
Detected by ESET in 2014, Kovter was initially a piece of ransomware, but the family has evolved since then to become ad fraud malware with its ability to send fake traffic if it detects a network monitor, terminate its own spawned process if Windows Task Manager is started, use so-called “fileless” persistence by storing its malicious payload encrypted in the Windows registry, and more.
3VE.3—Data Centers IPs as Proxies
The third 3ve-associated sub-operation was similar to 3ve.1. Its bots
were based in a few data centers, but in order to cover its tracks, it
used the IP addresses of other data centers as proxies (exit node layer)
instead of residential computers.
Although data centers are far more suspicious to advertisers who are worried about bot traffic, 3ve.3 strategy still allowed a reasonable degree of agility by helping its operators find new data centers as soon as old data centers were blocked.
Authorities Take Down “3ve” Ad Fraud Operation
Google uncovered the 3ve operations last year while its companies were
assessing the impact of the Methbot operation, an underground ad fraud
enterprise that White Ops revealed in 2016, which ESET named as the Boaxxe botnet.
However, after 3ve’s activity grew in 2017, generating billions of daily
ad bid requests, Google collaborated with other security companies who
were independently investigating this prominent ad-fraud operation to
take down the entire 3ve network.
Google and other security firms worked with the FBI to shut down the massive ad-fraud operation. After obtaining warrants last month, the FBI seized 31 internet domains and 89 servers that were all part of the 3ve infrastructure.
Cybersecurity companies in the private sector also helped blacklist the 3ve infrastructure engaged in the ad-fraud scheme and sinkhole the traffic to the bad domains.
8 People Charged Over Multimillion-Dollar Ad Fraud Scheme
On Tuesday, the U.S. Justice Department indicted eight people allegedly
involved in the infamous 3ve online advertising scams, which included
five Russian nationals, one person from Russia and Ukraine, and two
people from Kazakhstan. Three of them have already been arrested.
- Aleksandr Zhukov (38, Russian Federation) [arrested from Bulgaria]
- Boris Timokhin (39, Russian Federation) [arrested from Estonia]
- Mikhail Andreev (34, Russian Federation and Ukraine)
- Denis Avdeev (40, Russian Federation)
- Dmitry Novikov (Russian Federation)
- Sergey Ovsyannikov (30, Republic of Kazakhstan) [arrested from Malaysia]
- Aleksandr Isaev (31, Republic of Kazakhstan)
- Yevgeniy Timchenko (30, Republic of Kazakhstan)
“The Office also extends its appreciation to Microsoft Corporation, ESET, Trend Micro Inc., Symantec Corporation, CenturyLink, Inc, F-Secure Corporation, Malwarebytes, MediaMath, the National Cyber-Forensics and Training Alliance and The Shadowserver Foundation for their assistance in the botnet takedown,” DOJ said.
The defendants are charged with 13 counts of criminal violations, including wire fraud, aggravated identity theft, money laundering, and conspiracy to commit computer intrusion, among other offenses