The FBI dismantles a gigantic advertising fraud scheme applied to more than one million PIs

The FBI, Google and 20 technology industry partners collaborated to remove a giant cybercrime network involved in generating fake views and clicks used to defraud advertising networks and advertisers for four years and generate millions illicit income. for the authors of the scheme.

In addition to a coordinated response to eliminate many of the zombie networks in the criminal justice system, the US Department of Justice has also announced the indictment of 13 suspects at the origin of this operation, three of whom are already arrested and awaiting trial. Be extradited to the United States.

The scheme 3ve ad fraud

According to a DOJ indictment and a white paper published by Google and the cyber security firm White Ops, the eight suspects would be the main perpetrators of a fraudulent advertising scheme that the cybersecurity and advertising sector has been monitoring since last year under the code name "3ve", and which would be active since at least 2014.

The investigators said that over time, the three operators used different systems to generate ad views and clicks, making use of many tips, such as renting other botnets for cybercrime, creating their own botnets hosted on commercial data centers, hacking blocks of IP addresses, the use of proxy servers. to hide real IP addresses, and even create their own websites on which they display ads, to make sure that robots have ads to load and click on.

Based on observations or past practices, Google and its industry partners have organized 3ve's operations into three subgroups, each with its own specificities.

3ve.1 –aka MethBot, Miuref or Boaxxe

The first of this scheme, 3ve.1, has already been detailed in previous reports, although at the time of its discovery, it was not yet known that it was only a small part of a larger operation.

Originally identified as MethBot (term WhiteOps) in the first reports, but also as Miuref botnets (term Symantec) or Boaxxe (ESET term), the 3ve.1 operation was powered by a network of bots, running all in some data. centers in the United States and Europe.

These robots were simple scripts run on data center servers, opening thousands of automated Web browsers using a proxy server to conceal the server's IP address and then loading the desired website.

In Scheme 3ve.1, scammers earned money by exploiting fake ad networks receiving payments from other ad networks or advertisers when they were displaying ads on real sites. Web.

According to the FBI, the 3ve group used more than 1,900 servers hosted in commercial data centers to host the MethBot / Miuref / Boaxxe bots that would load one of the 5,000 counterfeit websites that would load advertisers' ads. , generating profits for the gang 3ve.

The bots have been configured to mimic both Dekstop and mobile traffic, and in some cases they have also clicked on ads to spoof the actual user traffic and generate even more revenue for the 3V gang.

Investigators said that when ad networks started to detect the group's campaign, Subgroup 3ve.1 began to hijack blocks of professional and residential IP addresses, which they temporarily attributed to their data center servers and proxies to hide their operations.

3ve.2 – the Kovter scheme

But when ad networks began blacklisting the IP addresses badociated with 3ve.1 operations, the scammers also diversified their system by renting an "install space" offered by Kovter malware botnet operators. .

Investigators said the 3ve group had deployed a custom bot on more than 700,000 computers infected with Kovter malware; bot that opened hidden browser windows to load gang 3ve-powered websites, generating profits similar to subgroup 3ve.1, but using PCs infected with malware instead of bots hosted in a datacenter .

3ve.3 –3ve.1, with a twist

The third pattern was almost identical to the first, with two main differences. The first was that crooks were using a much smaller number of datacenter robots, and secondly, three operators were renting other datacenter servers for proxy purposes instead of hijacking IP addresses of residential networks. .

"Although easier to detect, this approach has allowed them to commit advertising fraud more efficiently.Data centers can offer greater bandwidth than hundreds of thousands of home computers," said Google in its report .

In an article published today on his blog, Google revealed that he had read all of the capabilities and operations of 3ve last year. In the course of his investigations, he also learned that other advertising platforms and cyber security companies were also considering the same operation. Google has announced the establishment of a working group with several industry partners to coordinate the removal of the entire 3ve network.

Some of the most important players in the advertising and information industry have been invited, such as Microsoft, ESET, Symantec, Proofpoint, Trend Micro, F-Secure, Malwarebytes, CenturyLink, MediaMath, White Ops, Amazon, Adobe, Trade Desk, Oath, The Shadowserver Foundation, and the National Alliance for Cybercrime and Training.

Charges, arrests and 3rd dismantling of the GM

The forces of order were also invited, which resulted in the DOJ 's indictment today, designating six Russian nationals and two Kazakhstan nationals as the main operators.

The names of the first eight suspects are Aleksandr Zhukov (38, Russia), Boris Timokhin (39, Russia), Mikhail Andreev (34, Russia), Denis Avdeev (40, Russia), Dmitry Novikov (??, Russia), Sergey Ovsyannikov (30, Kazakhstan), Aleksandr Isaev (31, Russia) and Yevgeniy Timchenko (30, Kazakhstan).

Three have already been apprehended at the request of the United States. Zhukov was arrested earlier this month in Bulgaria, Timchenko in Estonia and Ovsyannikov in Malaysia (last month). According to US officials, the other defendants are on the run and international arrest warrants have been issued in their name.

In addition to the arrests, the FBI also obtained seizure warrants allowing its investigators to take control of 31 Internet domains and 89 servers used to manage the 3Ve infrastructure.

According to a chart shared today by Google, the impact of fraudulent advertising placement requests has immediately decreased, as the FBI and other cyber security companies have started putting blacklists on their servers and to defeat the infrastructure 3ve.

According to Google, at its peak, the 3V operation has generated more than three billion fraudulent daily auction applications, used more than 60,000 accounts selling fraudulent ad inventories, operated more than 10,000 Counterfeit websites for the sole purpose of delivering ads, managed more than 1,000 data center servers and controlled over a million IP addresses to hide different bots.

Although Google has not published an official figure, the financial damage to advertisers would be worth millions of US dollars.

Related coverage: