A collection of cybersecurity companies, Google and the Feds are sharing details on how they were uncovered and dismantled a massive ad-fraud operation known as "3ve" (pronounced "eve").
Google says that at its peak, the 3ve scam employed nearly two million hijacked devices to generate fake clicks on advertisements, and made its operators heavy payouts from duped advertising networks. The idea was that 3ve's operators would create massive networks of fake websites that would take the bids from ad networks and then send the infected machines to the order to collect ad revenues.
"3ve operated on a massive scale: at its peak, it controls over one billion IPs from both residential botnet infections and corporate IP spaces, primarily in North America and Europe (for comparison, this is more than the number of broadband subscriptions in Ireland) , "Google said in its summary of the operation this week.
Smut-watchers suckered by evil advertising
"It featured many unique sub-operations, each of which constituted a sophisticated ad fraud scheme in its own right (many thousands of servers across many data centers) used to host 3ve's operation, found similar activity happening within a network of malware-infected residential computers. "
Google says that the 3ve network actually started as a small botnet operation, which was first detected back in 2016. Over the next year the scam would grow a large number of complex evasion techniques to avoid detection by click-fraud systems. The operators used a pair of malware packages – Windows-targeting Boaxxe and Kovter – to infect victims' PCs.
Boaxxe, aka Miuref, and Kovter were spread by booby-trapped email attachments and drive-by-downloads, effectively tricking people into installing them. BGP hijacking was also used in the caper to ultimately control, in just one 10-day sample, 1.7 million IP addresses, which were used to fire off what looked like legit ad requests and clicks.
The above link goes to more technical details, including signs of infection to look out for.
Assembling the A Team
In 2017 Google said it called in additional help from antimalware vendors. ProofPoint and Malwarebytes were brought to help identify malware 3ve was used to enlist new commandeered Windows PCs into its ranks. The malware would only run the security software and would only execute the ad-fraud activity if its IP address was located on a specific area with a specific ISP.
This allowed the network to evade detection and grow to a massive scale at its peak viewing and clicking on anywhere from three to 12 billion ads per day.
"3ve's sheer size and complexity posed a significant risk not just to individual advertisers and publishers, but to the entire advertising ecosystem," Google said.
"We had to shut the operation down for good, which called for greater, more calculated measures, it was critical that we played the long game, endeavoring to have a more permanent, more powerful impact against this and future ad fraud operations. "
Facebook's big solution to combat election campaign: Snail mail
To shut down the operation, Google said it formed a working group consisting of 16 organizations, including security vendors and law enforcement outfits, including the US Department of Homeland Security and the FBI's Internet Crime Complaint Center.
The takedown of the network, says Google, was swift and severe. After spending several months observing operators, the group launched a sweeping shutdown operation that caused the network's traffic to nearly flatline over the span of 18 hours (Google would not say exactly when this happened.)
Now, the Chocolate Factory says it wants to create and maintain both standards for security vendors and ad networks to guard against fraud operations and educate both advertisers and publishers about fraud.
Meanwhile, the DHS and FBI are advising anyone who thinks their systems may be infected with 3ve's malware to report the FBI's IC3 website. ®
Stop press … US prosecutors today charged Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev and Yevgeniy Timchenko with their alleged involvement in the 3ve racket.
We're told Ovsyannikov, 30, was cuffed last month in Malaysia, Zhukov, 38, was collared earlier this month in Bulgaria, and Timchenko, 30, was earlier this month in Estonia. They await extradition to America. The rest are at big.
They are charged with wire fraud, computer intrusion, aggravated identity theft and money laundering.