Google, the FBI, ad-fraud fighting company WhiteOps and a collection of cyber security companies worked together to shut down one of the largest and most sophisticated digital ad-fraud schemes that infected over 1.7 million computers to generate fake clicks used to defraud online advertisers for years and made tens of millions of dollars in revenue.
Dubbed 3ve (pronounced “Eve”), the online ad-fraud campaign is believed to have been active since at least 2014, but its fraudulent activity grew last year, turning it into a large-scale business and earning their operators more than $30 million in profit.
Meanwhile, the United States Department of Justice (DoJ) also unsealed Tuesday a 13-count indictment against 8 people from Russia, Kazakhstan, and Ukraine who allegedly ran this massive online advertising scheme.
The 3ve botnet scheme deployed different tactics, such as creating their own botnets, creating fake versions of both websites and visitors, selling fraudulent ad inventory to advertisers, hijacking Border Gateway Protocol (BGP) IP addresses, using proxies to hide real IP addresses, and infecting users PCs with malware—all to create or generate fake clicks over online ads and get paid.
“Tech-savvy fraudsters try to produce fake traffic and fraudulent ad inventory to trick advertisers into believing that their ads are being seen by actual, interested users,” WhiteOps researchers said.
3ve involved 1.7 million computers infected with malware, over 80 servers in generating fake internet traffic, more than 10,000 counterfeit websites to impersonate legitimate web publishers, and over 60,000 accounts selling ad inventory via more than one million compromised IP addresses to generate 3 to 12 billion of daily ad bid requests at its peak.
3ve Ad Fraud Operation – Types and Working
According to Google and multiple cybersecurity firms, the ad-fraud scheme has been named 3ve because it relies on a set of three distinct sub-operations, “each taking unique measures to avoid detection, and each built around different architectures using different components.”
“Its operators constantly adopted new ways to disguise 3ve’s bots, allowing the operation to continue growing even after their traffic was blacklisted. Whenever they were blocked off in one place, they’d reappear somewhere else,” Google said.
Here’s a brief overview of all three 3ve operations:
3VE.1—The BOAXXE Malware Scheme, aka METHBOT or MIUREF
The first 3ve’s three ad fraud sub-operations, called 3ve.1 for the sake of clarity, was powered by a network of bots operating in data centers across the US and Europe.
This operation used the Boaxxe botnet, also known as Miuref and Methbot, and BGP hijacking to obtain IP addresses used for proxying the traffic from the infected devices in the data centers and visit fake and real web pages.
Initially, all the fake ad requests originated from desktop browsers, but over time, this operation increasingly started relying on spoofed mobile traffic from Android devices—ad-requests spoofed to look like they came either from mobile apps or from mobile browsers.
Between September 2014 and December 2016, this scheme used 1,900 computer servers hosted in commercial data centers to load ads from advertisers on over 5,000 counterfeit websites, generating millions of dollars in profit for its operators.
3VE.2—The KOVTER Malware Scheme
This approach used counterfeit domains to sell fake ad inventory to advertisers. However, instead of relying on proxies to hide its activities, this approach deployed a hidden, custom browsing agent (Chromium Embedded Framework) on more than 700,000 computers infected with the Kovter malware.
This scheme made use of redirection servers that instructed the infected computers to visit specific fake web pages.
Detected by ESET in 2014, Kovter was initially a piece of ransomware, but the family has evolved since then to become ad fraud malware with its ability to send fake traffic if it detects a network monitor, terminate its own spawned process if Windows Task Manager is started, use so-called “fileless” persistence by storing its malicious payload encrypted in the Windows registry, and more.
3VE.3—Data Centers IPs as Proxies
The third 3ve-associated sub-operation was similar to 3ve.1. Its bots were based in a few data centers, but in order to cover its tracks, it used the IP addresses of other data centers as proxies (exit node layer) instead of residential computers.
Although data centers are far more suspicious to advertisers who are worried about bot traffic, 3ve.3 strategy still allowed a reasonable degree of agility by helping its operators find new data centers as soon as old data centers were blocked.
Authorities Take Down “3ve” Ad Fraud Operation
Google uncovered the 3ve operations last year while its companies were assessing the impact of the Methbot operation, an underground ad fraud enterprise that White Ops revealed in 2016, which ESET named as the Boaxxe botnet.
However, after 3ve’s activity grew in 2017, generating billions of daily ad bid requests, Google collaborated with other security companies who were independently investigating this prominent ad-fraud operation to take down the entire 3ve network.
Google and other security firms worked with the FBI to shut down the massive ad-fraud operation. After obtaining warrants last month, the FBI seized 31 internet domains and 89 servers that were all part of the 3ve infrastructure.
Cybersecurity companies in the private sector also helped blacklist the 3ve infrastructure engaged in the ad-fraud scheme and sinkhole the traffic to the bad domains.
8 People Charged Over Multimillion-Dollar Ad Fraud Scheme
On Tuesday, the U.S. Justice Department indicted eight people allegedly involved in the infamous 3ve online advertising scams, which included five Russian nationals, one person from Russia and Ukraine, and two people from Kazakhstan. Three of them have already been arrested.
- Aleksandr Zhukov (38, Russian Federation) [arrested from Bulgaria]
- Boris Timokhin (39, Russian Federation) [arrested from Estonia]
- Mikhail Andreev (34, Russian Federation and Ukraine)
- Denis Avdeev (40, Russian Federation)
- Dmitry Novikov (Russian Federation)
- Sergey Ovsyannikov (30, Republic of Kazakhstan) [arrested from Malaysia]
- Aleksandr Isaev (31, Republic of Kazakhstan)
- Yevgeniy Timchenko (30, Republic of Kazakhstan)
“The Office also extends its appreciation to Microsoft Corporation, ESET, Trend Micro Inc., Symantec Corporation, CenturyLink, Inc, F-Secure Corporation, Malwarebytes, MediaMath, the National Cyber-Forensics and Training Alliance and The Shadowserver Foundation for their assistance in the botnet takedown,” DOJ said.
The defendants are charged with 13 counts of criminal violations, including wire fraud, aggravated identity theft, money laundering, and conspiracy to commit computer intrusion, among other offenses.