dismantling of "3ve", a gang of pirates with highly sophisticated techniques



[ad_1]

Google, WhiteOps and a dozen other digital players assisted the FBI in dismantling a huge advertising fraud that would have generated more than $ 36 million in revenue between 2014 and 2018. Eight people of Russian and Kazakh origin been charged by the US Department of Justice. Three of them have already been arrested and are awaiting extradition to the United States. They are currently languishing in prisons in Malaysia, Estonia and Bulgaria. The others are on the run.

Called "3ve", this advertising fraud operation is distinguished by its size and complexity. In a white paper, Google and WhiteOps explain that hackers have used a multitude of techniques and infrastructures to continually increase their revenues while remaining under the radar of the advertising industry. They have put in place three main tactics.

Three different sub-operations

The first, called 3ve.1, is to create thousands of instances of browsers in one or more data centers, to simulate actions of Internet users (connections to social networks, video readings …) and to generate clicks on advertisements, on both real and fake sites. To blur the tracks, hackers mask the origin of this traffic by passing it through zombie machines turned into a proxy for the occasion. These are private or business computers that are infected with the Miuref malware, aka Boaxxe. Another way to hide the origin was to falsify the BGP routing tables, a well-known technique for diverting Internet traffic.

The second tactic is called 3ve.2. Here again, it's about creating navigation sessions and generating clicks on ads embedded in fake websites. But this time, these sessions are not generated on servers, but directly on zombie machines that have been enlisted by the malware Kovter. The size of this botnet has been evaluated at over 700,000 machines.

Finally, the third tactic – 3ve.3 – is a variation of the first. Navigation sessions are created on servers, but the origin is not hidden through a network of zombie machines. This time, hackers are passing requests through other datacenters. It is less discreet, but allows to have a greater bandwidth, and thus generate a fake advertising traffic more important. According to the FBI, the hackers relied on a lot of more than 650,000 addresses that they would have allocated to the various data centers used.

All this infrastructure is now out of harm's way. With the help of technical partners, the police have deactivated the key elements of this machinery. During this police operation, they notably seized 23 domain names and 89 servers from 11 hosts. 3ve traffic collapsed almost instantly.

[ad_2]
Source link