A collection of cybersecurity companies, Google, and the Feds are sharing details about how they uncovered and dismantled a massive ad-fraud operation known as "3ve" (pronounced "Eve").
Google says that at its peak, the 3ve scam employed almost two million hijacked devices to generate fake clicks on adverts, and made its operators heavy payouts from duped advertising networks. The idea was that 3ve's operators would create massive networks of fake websites that would take bids from ad networks and then send the infected machines to the sites to collect ad sales.
"3ve operated on a massive scale: At its peak, it controls over one million IPs from both residential botnet infections and corporate IP spaces, primarily in North America and Europe (for comparison, this is more than the number of broadband subscriptions in Ireland) , "Google said in its summary of the operation this week.
Smut-watchers suckered by evil advertising
"It featured several unique sub-operations, each of which constituted a sophisticated ad fraud schema in its own right. Soon after we started to identify the massive infrastructure (consisting of thousands of servers across many data centers) used to host 3ve's operation, we Found similar activity happening in a network of malware-infected residential computers. "
Google says that the 3ve network started as a small botnet operation, which was first detected back in 2016. Over the next year, the scam would grow much larger and its operators started using a number of complex evasion techniques to avoid detection by click-fraud systems. The operators used a pair of malware packages – Windows targeting Boaxxe and Kovter – to infect victim's PCs.
Boaxxe, aka Miuref, and Kovter were spread by boot-captured email attachments and drive-by downloads, effectively tricking people into installing them. BGP hijacking was also used in the caper to ultimately control, in just one 10-day sample, 1.7 million IP addresses, which used to fire off what looked like legit ad requests and clicks.
The above link goes to more technical details, including signs of infection to look out for.
Assembling the A Team
In 2017, Google said it called an additional help from antimalware vendors. ProofPoint and Malwarebytes have been introduced to help identify malware 3ve being used to enroll new commandeered Windows PCs into its ranks. The malware would only install on systems that did not run security software and would only execute the ad-fraud activity if its IP address was located in a certain area with a specific ISP.
This allowed the network to detect detection and grow to a massive scale, at its peak viewing, and clicking anywhere from three to 12 billion ads per day.
"3er sheer size and complexity posed a significant risk not just to individual advertisers and publishers, but to the entire advertising ecosystem," Google said.
"We had to keep the operation down for good, which called for greater, more calculated measures, so it was critical that we played the long game, endeavoring to have a more permanent and more powerful impact on this and future ad fraud operations. "
Facebook's big solution to combat election fraud: Snail mail
To shut down the operation, Google said it formed a working group consisting of 16 organizations, including security vendors and law enforcement outfits, including the US Department of Homeland Security and the FBI's Internet Crime Complaint Center.
The takedown of the network, says Google, was swift and severe. After spending several months observing the operators, the group launched a sweeping shutdown operation that caused the network traffic to almost flatline over the span of 18 hours (Google would not say exactly when this happened).
Now, the Chocolate Factory says it wants to create and maintain both standards for security vendors and ad networks to guard against fraud operations and to educate both advertisers and publishers about fraud.
Meanwhile, the DHS and FBI are advising anyone who thinks their systems may be infected with 3ve's malware to report the matter to the FBI's IC3 website. ®
Stop press … US prosecutors today charged Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev and Yevgeniy Timchenko with their alleged involvement in the 3ve racket.
We're told Ovsyannikov, 30, was cuffed last month in Malaysia, Zhukov, 38, was collared earlier this month in Bulgaria, and Timchenko, 30, was abacked earlier this month in Estonia. They are waiting for extradition to America. The rest are at large.
They are charged with wire fraud, computer intrusion, aggravated identity theft and money laundering.