The FBI, Google, and 20 technology industry partners have collaborated to remove the network of giant cyber-criminals involved in producing the appearance of fake advertisements and clicks that have been used to deceive ad networks and advertisers over the past four years and make millions of revenue forbidden for perpetrators of the scheme.
In addition to coordinated intervention to bring down several criminal scheme botnets, the US Department of Justice also announced a 13-count indictment of eight suspects suspected of being behind the operation, three of whom have been detained and awaiting extradition to the United States.
3ve advertising fraud scheme
According to DOJ and white paper charges released by Google and cyber White Ops security companies, the eight suspects are believed to be the main operators of advertising fraud schemes guarded by the cyber security industry and advertising since last year under the code name "3ve," and believed has been active since at least 2014.
Researchers say that over time 3ve operators use different schemes to produce the appearance of ads and clicks, relying on many tricks, such as hiring other cybercrime botnets, creating their own botnets hosted in commercial data centers, hijacking IP address blocks, using proxies to hide the actual IP address, and even create their own website where they display advertisements, to ensure that the bot loads ads to load and click.
Based on past observations or practices, Google and industry partners have organized 3ve operations in three subgroups, each with their own specifications.
3ve.1 – you are MethBot, Miuref, or Boaxxe
The first of these schemes, 3ve.1, was detailed in a previous report, although, at the time of its discovery, it was not yet known that it was only a small component of a larger operation.
Originally identified as MethBot (the term WhiteOps) in the first report, but also tracked as Miuref (Symantec term) or Boaxxe botnet (term ESET), 3ve.1 operations are supported by a bot network, all operating in some data centered in the US and Europe.
This bot is a simple script that runs on a data center server, which opens thousands of automatic web browsers that use a proxy server to disguise the server's IP address and then load the desired website.
In the 3ve.1 scheme, criminals make money by running fake ad networks that receive payments from ad networks or other advertisers when they display advertisements on real websites.
According to the FBI, 3ve groups use more than 1,900 servers stored in commercial data centers to host MethBot / Miuref / Boaxxe bots which will contain one of 5,000 fake websites, which will load advertisements from advertisers, generating profits for the 3ve gang.
Bots are configured to mimic desktop and cellular traffic, and in some cases also click on ads, to cheat real user traffic and generate more revenue for 3ve gangs.
Researchers say that when ad networks begin to detect group campaigns, the 3ve.1 subgroup starts hijacking blocks of corporate and residential IP addresses, which are temporarily assigned to data center servers and proxies to cover their operations.
3ve.2 – Kovter's scheme
But when the advertising network began to include a blacklist of IP addresses associated with operation 3. 1, criminals also diversified their schemes by renting "installation space" offered by the Kovter malware botnet operator.
Researchers say gang 3ve spreads special bots on more than 700,000 computers infected with Kovter malware; bots that open hidden browser windows to load websites operated by gang 3ve, generate profits in the same way as subgroup 3ve.1, but use a PC infected with malware, not bots hosted by the data center.
3ve.3 –3ve.1, with a twist
The third scheme is almost identical to the first, with two main differences. The first is that criminals use smaller amounts of bot data centers, and second, 3ve operators rent other data center servers to use as proxies, rather than hijacking IP addresses from residential networks.
"Although it is easier to detect, this approach allows them to do advertising fraud more efficiently – data centers can offer greater bandwidth than hundreds of thousands of home computers," Google said in a report.
In today's blog post, Google revealed that it became aware of capabilities and full operations 3ve last year, and along with the progress of its investigation, became aware that other advertising platforms and cyber security companies also saw the same operation. Google said it was forming a working group with several industry partners to coordinate the elimination of all 3ve networks.
Some of the biggest infosec industry players and advertisements were invited, such as Microsoft, ESET, Symantec, Proofpoint, Trend Micro, F-Secure, Malwarebytes, CenturyLink, MediaMath, White Ops, Amazon, Adobe, Trade Tables, Oaths, Shadowserver Foundation, and Forensic Alliance- Cyber and National Forensics.
DOJ charges, arrests, and 3ve deletions
Law enforcement was also invited, which resulted in today's DOJ indictment, calling on six Russians and two from Kazakhstan as the main 3ve operators.
The eighth names of the initial suspects are Aleksandr Zhukov (38, Russia), Boris Timokhin (39, Russia), Mikhail Andreev (34, Russia), Denis Avdeev (40, Russia), Dmitry Novikov (??, Russia), Sergey Ovsyannikov (30, Kazakhstan), Aleksandr Isaev (31, Russia), and Yevgeniy Timchenko (30, Kazakhstan).
Three have been arrested on US orders. Zhukov was arrested earlier this month in Bulgaria, Timchenko in Estonia, and Ovsyannikov in Malaysia (last month). The remaining defendants are generally, according to US officials, and international arrest warrants have been issued on their behalf.
But in addition to arrest, the FBI also obtained a seizure warrant authorizing its investigators to control 31 internet domains and 89 servers that have been used to manage 3ve infrastructure.
According to the Google chart that was distributed today, the impact on requests for placement of fake ads was immediately reduced when the FBI and other cyber security companies began to blacklist and sink 3ve infrastructure.
Google said that at its peak, 3ve operations generated more than three billion daily advertising demand frauds, employed more than 60,000 accounts selling fake advertising inventory, operated more than 10,000 fake websites for the sole purpose of displaying ads, running more than 1,000 data center servers, and mastered more than one million IP addresses to hide various 3ve bots.
Although Google has not yet posted an official number, financial damage to advertisers is believed to be in the range of millions of US dollars.