Yesterday, the Department of Justice charged eight men for their alleged involvement in a massive ad fraud that caused losses of tens of millions of dollars. A 13-count indictment was unsealed in the federal court in Brooklyn against these men. These charges included wire fraud, computer intrusion, aggravated identity theft, and money laundering, among others. They used two mechanisms for conducting this fraud: datacenter-based (Methbot) and botnet-based scheme (3ve).
The accused eight men were Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev, and Yevgeniy Timchenko. According to the DOJ announcement, three of the men have been arrested and are awaiting extradition to the United States.
How this ad fraud was conducted?
Revenue generated by digital advertising depends on how many users click or view the ads on websites. The perpetrators faked both the users and the webpages. The fraudsters, with the help of an automated program, loaded advertisements on fake web pages, in order to generate advertising revenue. The Department of Justice, on their website listed two schemes through which the accused were able to do this ad fraud:
According to the indictment, in the period September 2014 to December 2016, the fraudsters operated an advertising network called Ad Network #1. This network had business arrangements with other advertising networks through which it received payments in return for placing advertising placeholder or ad tags on websites.
Instead of placing these ad tags on legitimate publishers’ websites, Ad Network #1 rented more than 1,900 computer servers housed in commercial datacenters. With these datacenter servers, they loaded ads on fabricated websites, and spoofed more than 5,000 domains. To make this look like that a real user has viewed or clicked on the advertisement, they simulated the normal activities a real internet user does.
In addition to this, they also leased more than 650,000 IP addresses and assigned multiple IP addresses to each datacenter server. These IP addresses were then registered fraudulently to make it appear that the datacenter servers were residential computers belonging to individual human internet users. Through this scheme, Ad Network #1 was able to generate billions of ad views and caused businesses to pay more than $7 million for ads that were never actually viewed by real human internet users.
The indictment further reveals that between December 2015 and October 2018, Ovsyannikov, Timchenko, and Isaev started another advertising network called Ad Network #2. In this scheme, they used a global botnet network of malware-infected computers. The three fraudsters developed an intricate infrastructure of command-and-control servers to direct and monitor the infected computers.
This infrastructure enabled the fraudsters to access more than 1.7 million infected computers, belonging to ordinary individuals and businesses in the United States and elsewhere. They used hidden browsers on those infected computers to download fabricated webpages and load ads onto those fabricated webpages. Through this scheme, Ad Network #2 caused businesses to pay more than $29 million for ads.
This is one of the most complex and sophisticated ad frauds popularly named as 3ve (pronounced “Eve”). U.S law enforcement authorities with various private sector companies including White Ops and Google began the process of dismantling this criminal cyber infrastructure utilized in the botnet-based scheme.
3ve infected computers with malicious software known as Kovter. As a part of the investigation, FBI also discovered an additional cybercrime infrastructure committing digital advertising fraud called Boaxxe. This infrastructure used datacenter servers located in Germany and a botnet of computers in the United States infected.
Google and White Ops investigators also realized that this is not a simple botnet seeing its evading efforts to filter and contain its traffic. Scott Spencer, a Google product manager told Buzzfeed:
“The thing that was really different here was the number of techniques that they used, their ability to quickly respond when they thought they were being detected, and to evolve the mechanisms they were using in real time. We would start to filter traffic and we’d see them change things, and then we’d filter a different way and then they’d change things.”
The United States Computer Emergency Readiness Tea (US-CERT) has published an alert which highlights the 3ve’s botnet behavior and how it interacts with Boaxxe and Kovter botnets. It also lists some measures to avoid getting affected by these malwares.
To know more details about this case, check out the announcement by the Department of Justice.