With a heavy assist from private-sector cybersecurity and tech organizations, the FBI has dismantled a highly complex fraud network responsible for generating billions upon billions of fake online ad placements.
In conjunction with the takedown, the U.S. Department of Justice yesterday announced a 13-count indictment filed against eight individuals, each a resident of either Russia, Ukraine or Kazakhstan. Charges include wire fraud, money laundering conspiracy, aggravated identity theft, and conspiracy to commit computer intrusions.
Collectively known as 3ve (pronounced "Eve"), the cybercriminal operation had fraudulently earned at least $36 million in ad view revenues since 2014, largely with the help of global botnets composed of machines infected with either Kovter or Boaxxe/Miuref malware. (A US-CERT technical analysis of the malware programs is available here.)
At its peak, 3ve was responsible for 3 billion daily ad bid requests and 700,000 active botnet infections, according to a report from Google and White Ops, the founding two members of a cyber coalition that secretly investigated 3ve and shared its findings with U.S. law enforcement. Throughout its existence, the ad fraud operation counterfeited over 10,000 websites, the report continued.
Charged in Brooklyn federal court, the defendants were identified as Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev and Yevgeniy Timchenko. All within the past month, Ovsyannikov, Zhukov and Timchenko were arrested in Malaysia, Bulgaria and Estonia, respectively. They await extradition, while the other five alleged perpetrators remain at large.
The official federal indictment cites two distinct schemes that have been linked through tactics, shared infrastructure, and the alleged activities of one of the defendants. However, the DOJ press release and Google/White Ops report also allude to a third sub-operation that is not mentioned in the indictment.
The first of these schemes, referred to as the Methbot campaign, took place between September 2014 and December 2016, and allegedly involved Zhukov, Timokhin, Andreev, Avdeev and Novikov, with the assistance of Ovsyannikov. The DOJ has accused these individuals of entering into fraudulent business deals with legitimate ad networks, offering to help them place their ad tags on publishers' websites.
In reality, however, the defendants rented out nearly 2,000 computer servers from commercial datacenters and used them to load the ad tags onto fake, blank webpages located on spoofed domains. "In this way, the Methbot defendants fabricated (or 'spoofed') more than 250,000 webpages distributed across more than 5,000 domains associated with online publishers, including the domains of thousands of businesses in the United States and multiple businesses in the Eastern District of New York," the indictment states.
In order to appear genuine, the defendants allegedly used an automated program to simulate human traffic activity on those phony pages, including mouse movements, scrolling, and interacting with video players. Additionally, they are accused of leasing out more than 650,000 IP addresses, assigning them to the datacenter servers, and then fraudulently registering those IP addresses to make them look like they were individual home computers.
The second campaign mentioned in the indictment, referred to as 3ve.2, took place between December 2015 and October 2018 and allegedly involved Ovsyannikov, Timchenko and Isaac. In this instance, the defendants used malvertising to infect users with the Kovter botnet, and then commanded these compromised machines to browse and download fake webpages, as well as load ads onto them.
The DOJ said that roughly 1.7 million computers were infected by Kovter, while the Google/White Ops report put the figure at closer to 700,000 computers and IP addresses.
To execute its takedown of Kovter, the FBI seized and then sinkholed 23 internet domains, while executing search warrants for what turned out to be 89 malicious servers located at 11 different U.S. server providers. International bank accounts were seized as well.
It was this law enforcement action that revealed additional ad fraud activity involving datacenter servers in Germany, as well as and a botnet of computers infected with the Boaxxe/Miuref botnet malware. "The FBI executed seizure warrants to sinkhole eight domains used to further this scheme and thereby disrupt yet another botnet engaged in digital advertising fraud," the DOJ stated.
This account appears to gibe with the Google/White Ops report, which notes how 3ve actors would use a combination of Boaxxe botnet malware and Border Gateway Protocol (BGP) hijacking techniques to steal IP addresses and use them as proxies to make it appear that ad requests were coming from legit homes and businesses.
"The hackers essentially seized huge swaths of corporate and residential IP space by interfering directly with the main Internet routing protocol," the report states. Google and White Ops noted that the campaign originally made it appear as if desktop browsers were generating the ad requests, before later spoofing Android-based mobile traffic instead.
Other entities and individuals credited with assisting in the takedown include Adobe, Amazon Advertising, CenturyLink, ESET, Facebook, Fox-IT, F-Secure, Malwarebytes, Matt Carothers, McAfee, MediaMath, Microsoft, the National Cyber-Forensics and Training Alliance, Oath, ProofPoint, the Shadowserver Foundation, Symantec, The Trade Desk, Trend Micro and various international law enforcement agencies.
