FBI along with cybersecurity firms dismantled a sophisticated ad fraud scheme that allowed its operators to earn tens of millions of dollars
Law enforcement and private firms such as Google and WhiteOps took down one of the largest and most sophisticated digital ad-fraud campaign, tracked as Dubbed 3ve, that infected over 1.7 million computers to carry out advertising frauds.
The name 3ve is derived from a set of three distinct sub-operations using unique measures to avoid detection, and each of them was built around different architectures with different components.
3ve has been active since at least 2014 and experts observed a peak in its activity in 2017. It has been estimated that the campaign allowed its operators to earn more than $30 million, people involved in the ad-fraud campaign are all from Eastern Europe.
The United States Department of Justice also issued indicted 8 individuals from Russia, Kazakhstan, and Ukraine.
Operators used a broad range of technique to monetize their efforts, they created fake versions of both websites and used their own botnet to simulate visitors’ activities, then offered ad spaces to advertisers, and Border Gateway Protocol hijacking for traffic redirection. Crooks also used malicious code to generate fake clicks over online ads and earn money.
“3ve operated on a massive scale: at its peak, it controlled over 1 million IPs from both residential botnet infections and corporate IP spaces, primarily in North America and Europe (for comparison, this is more than the number of broadband subscriptions in Ireland). It featured several unique sub-operations, each of which constituted a sophisticated ad fraud scheme in its own right.” read the report published by WhiteOps.
“Tech-savvy fraudsters try to produce fake traffic and fraudulent ad inventory to trick advertisers into believing that their ads are being seen by actual, interested users,”
The size of the infrastructure involved in the 3ve ad-fraud campaign is very huge, according to the experts fraudsters infected 1.7 million computers with malware, attackers used thousands of servers and more than 10,000 counterfeit websites to impersonate legitimate web publishers.
The experts discovered that crooks used over 60,000 accounts selling ad inventory generating a record of 3 to 12 billion of daily ad bid requests.
“All told, 3ve controlled over 1 million IPs from both residential botnet infections and corporate IP spaces (as noted above, there were up to 700,000 active infections at any given time).” continues the report.
“In aggregate, the operation also produced more than 10,000 counterfeit domains, and generated over 3 billion daily bid requests at its peak. We estimate that portions of the bot operation spanned over 1,000 servers in data centers allocated to various functions needed for this type of large-scale operation”
Experts observed three 3ve operations during their investigation:
3VE.1—The BOAXXE Malware Scheme (aka METHBOT /MIUREF)
So-called 3ve.1 sub-operation leveraged a the Boaxxe botnet, aka Miuref and Methbot, composed of infected systems in data centers across the US and Europe.
Attackers also carried out BGP hijacking to obtain IP addresses used for traffic proxying from the compromised bots the data centers. The infected systems were used to visit both fake and real web pages.
“All the fake ad requests from 3ve.1 initially pretended to be from desktop browsers, but this changed over time, with the operation increasingly relying on spoofed mobile traffic. This was done by the data center-based browsers pretending to be Android devices.” continues the report.
“There were two unique, active mobile misrepresentation schemes: in one the ad requests were spoofed to look like they came from mobile apps, in the other the ad requests were spoofed to look like they came from mobile browsers. The spoofing was achieved by overriding the parameters typically used to determine what type of device the traffic came from”
According to the investigators, between September 2014 and December 2016, the scheme involved over 1,900 servers hosted in commercial data centers to load ads from advertisers on over 5,000 counterfeit websites. With this scheme, fraudsters generated millions of dollars in profit for its operators.
3VE.2—The KOVTER Malware Scheme
In this second scheme, attackers used counterfeit domains to sell fake ad inventory to advertisers. Attaclers used a hidden, custom-built browsing agent (Chromium Embedded Framework) on more than 700,000 computers that were compromised with the Kovter malware.
Fraudsters used redirection servers that instructed the infected computers to visit fake web pages operated by the gang.
3VE.3—Data Centers IPs as Proxies
In the third sub-operation bots were installed in data centers and used the IP addresses of other data centers as proxies.
The 3ve campaign was first spotted in 2016 by ESET that tracked the botnet as Boaxxe botnet.
Security firms helped the FBI to shut down the massive ad-fraud operation. Law enforcement obtained warrants that allowed them to seize 31 internet domains and 89 servers of the 3ve infrastructure.