Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime

Feds Charge Eight With Online Advertising Fraud

$36 Million in Digital Video Ad Fraud Tied to 3ve and Methbot Schemes
Feds Charge Eight With Online Advertising Fraud
Heat map of residential PCs infected with 3ve.2 botnet malware, with red indicating the highest concentration of computers (Source: Google and White Ops)

The U.S. Department of Justice on Tuesday announced that it has indicted eight individuals as part of a multiyear FBI investigation into gangs that allegedly perpetrated digital advertising fraud, in part, via botnets.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

Charges against the eight men, as revealed in a 13-count indictment unsealed on Tuesday, include hacking, identity theft, money laundering and wire fraud.

Three of the men have been arrested abroad; the rest remain at large.

"As alleged in court filings, the defendants in this case used sophisticated computer programming and infrastructure around the world to exploit the digital advertising industry through fraud," says Richard P. Donoghue, the U.S. attorney for the Eastern District of New York.

The suspects allegedly participated in one or both of two digital ad fraud schemes: Methbot, a data center-based scheme tied to at least $7 million in fraud, and botnet-driven 3ve, which has been tied to at least $29 million in fraud.

As part of an accompanying takedown operation, the FBI also obtained seizure warrants, unsealed Tuesday at a federal court in Brooklyn, authorizing the bureau to take control of 31 internet domains as well as to seize information from 89 computer servers allegedly used as part of the botnets' infrastructure, including command-and-control servers tied to malware known as Kovter.

"The FBI, working with private sector partners, redirected the internet traffic going to the domains - an action known as 'sinkholing' - in order to disrupt and dismantle these botnets," the Justice Department says.

The Justice Department says it's also executed seizure warrants for international bank accounts - allegedly used by the perpetrators - located in multiple countries, including Switzerland.

"This case sends a powerful message that this office, together with our law enforcement partners, will use all our available resources to target and dismantle these costly schemes and bring their perpetrators to justice, wherever they are," Donoghue says (see: Video Ad Fraud Botnet Bags Up to $1.3 Million Daily).

"The scale of the 3ve group's activities were unprecedented, and although they used many common techniques to obtain ill-gotten gains, the infrastructure they assembled to achieve their goals is astonishing," Christopher Boyd, lead malware intelligence analyst at cybersecurity firm Malwarebytes, tells Information Security Media Group. "With a thousand or so dedicated servers, fake browsing histories to increase CPM [cost per thousand impressions], close to a million dedicated IPs, and up to $5 million in bogus ad inventory each day, it's no wonder authorities decided to take action."

Eight Men Charged

The indictment charges eight defendants, and lists their age and citizenship:

  • Aleksandr Zhukov, 38, Russian Federation
  • Boris Timokhin, 39, Russian Federation
  • Mikhail Andreev, 34, Russian Federation and Ukraine
  • Denis Avdeev, 40, Russian Federation
  • Dmitry Novikov, Unknown, Russian Federation
  • Sergey Ovsyannikov, 30, Republic of Kazakhstan
  • Aleksandr Isaev, 31, Russian Federation
  • Yevgeniy Timchenko, 30, Republic of Kazakhstan

"Ovsyannikov was arrested last month in Malaysia, Zhukov was arrested earlier this month in Bulgaria and Timchenko was arrested earlier this month in Estonia, all pursuant to provisional arrest warrants issued at the request of the United States," the Justice Department says.

"Thanks to the hard work of our legal attachés and law enforcement partners overseas, with the cooperation of our international and U.S.-based private sector partners, the defendants will face justice for their alleged crimes," says FBI Assistant Director-in-Charge William F. Sweeney Jr. (See: Video Ad Fraud Botnet Bags Up to $1.3 Million Daily)

But any suspects currently located in Russia are unlikely to see the inside of a court room, provided they curtail their travel abroad. Russia has never extradited a cybercrime suspect. In addition, Moscow typically files competing extradition requests to attempt to return alleged cybercriminals, arrested abroad to their home soil (see: Russia's Accused Hacker Repeat Play: Extradition Tug of War).

Methbot: Data Center Scheme

Five of the suspects - Zhukov, Timokhin, Andreev, Avdeev and Novikov - allegedly operated a fake advertising network known as Methbot, helped by Ovsyannikov, from September 2014 to December 2016.

Methbot earned money by creating fake users to interact with online advertising - generating so-called advertising impressions - to fraudulently receive payment from legitimate advertising networks, according to court documents.

Prosecutors say Methbot's operators rented 1,900 computer servers and spoofed 5,000 real domains as part of their scheme, as well as registered 650,000 IP addresses to make it appear that end users were coming from actual internet service providers.

"To create the illusion that real human internet users were viewing the advertisements loaded onto these fabricated websites, the defendants programmed the data center servers to simulate the internet activity of human internet users: browsing the internet through a fake browser, using a fake mouse to move around and scroll down a webpage, starting and stopping a video player midway, and falsely appearing to be signed into Facebook," the Justice Department says.

Extract from the unsealed indictment (Source: Department of Justice)

The scheme was disrupted in December 2016 after cybersecurity firm White Ops published a report analyzing the operation and listing IP addresses used by attackers, which security firms quickly moved to block. White Ops said it had seen the operation scale up dramatically in October 2016, "reaching as many as 137 million impressions per day."

3ve: Botnet Scheme

The disruption of Methbot allegedly led to Ovsyannikov - together with Timchenko and Isaev - running a new scheme called 3ve - pronounced "Eve" - from December 2015 until last month, when Ovsyannikov was arrested in Malaysia.

An overview of the broader 3ve operation (Source: Google and White Ops)

Prosecutors say the scheme relied on a botnet composed of more than 1.7 million PCs on which attackers had surreptitiously installed 3ve.2 botnet malware. The malicious code, unbeknownst to users, "used hidden browsers ... to download fabricated webpages and load ads onto those fabricated webpages," generating fake advertising impressions to earn attackers fraudulent compensation from legitimate advertising networks, according to court documents.

"Online advertisers desire premium websites on which to publish their ads and large numbers of visitors to view those ads," US-CERT says its TA18-331A alert, "3ve - Major Online Ad Fraud Operation," published Tuesday.

"3ve created fake versions of both - websites and visitors - and funneled the advertising revenue to cyber criminals," it says. "3ve obtained control over 1.7 million unique IPs by leveraging victim computers infected with Boaxxe/Miuref and Kovter malware, as well as hijacked Border Gateway Patrol [aka Border Gateway Protocol or BGP] IP addresses."

Working Group Targeted 3ve

Last year, a working group composed of 17 firms - including Google, Facebook, Verizon's Oath subsidiary and White Ops - banded together to attempt to secretly track 3ve, then shared their findings with law enforcement.

"3ve was remarkably sophisticated," says Tamer Hassan, CTO of White Ops. "It showed every indication of a well-organized engineering operation with best practices in software development. It exhibited reliability, resilience and scale, rivaling many state-of-the-art software architectures."

"The hackers essentially seized huge swaths of corporate and residential IP space by interfering directly with the main internet routing protocol," Google and White Ops say in a 3ve white paper analyzing the operations.

"At its peak, it controlled over 1 million IPs from both residential malware infections and corporate IP spaces primarily in North America and Europe," says Per Bjorke, Google's product manager for ad traffic quality, in a blog post.

Google says it's been automatically refunding advertisers for all fraudulent website advertising that it can spot, including recent 3ve activity.

3ve Operation Summary

Peak metrics, including ad traffic volumes and other volumes observed over the course of the 3ve investigation (Source: Google and White Ops)

Public/Private Cooperation

The Justice Department said the help of numerous other countries' law enforcement agencies was critical to the investigation. It also thanked multiple private-sector organizations for helping it to disrupt or unravel the online advertising fraud operations.

"The office extends its appreciation to White Ops, Inc. and Google LLC for their assistance in the investigation and botnet takedown," it says. "The office also extends its appreciation to Microsoft Corporation, ESET, Trend Micro Inc., Symantec Corporation, CenturyLink Inc., F-Secure Corp., Malwarebytes, MediaMath, the National Cyber-Forensics and Training Alliance and The Shadowserver Foundation for their assistance in the botnet takedown."

Hassan, the White Ops CTO, tells the Wall Street Journal that these efforts represent the biggest effort yet by law enforcement to disrupt the online advertising fraud business.

FBI Sinkholes Domains

The FBI says this help was crucial for enabling it to disrupt 3ve by seizing servers and sinkholing domains tied to both 3ve as well as Kovter malware.

"In addition, as part of its investigation, the FBI discovered an additional cybercrime infrastructure committing digital advertising fraud through the use of data center servers located in Germany and a botnet of computers in the United States infected with malicious software known in the cybersecurity community as Boaxxe," the Justice Department says.

The FBI says it used search warrants to sinkhole eight Boaxxe domains, disrupting that digital ad fraud campaign.

"The disruption of infrastructure thus far has been successful, bringing the bid request traffic close to zero within 18 hours of starting the coordinated takedown," Google and White Ops say in their report.

But the problem of online advertising fraud is a large one. Indeed, a 2017 study from White Ops and the Association of National Advertisers estimated that fraudsters would cost the industry $6.5 billion that year, although that was a decrease from the $7.2 billion in losses the ANA estimated for 2016.

For now, it remains to be seen if 3ve will disappear, or if its alleged still-at-large members might launch new online digital ad fraud operations - as well as what effect the FBI's disruption efforts will have on the broader online advertising ecosystem.

But Boyd of Malwarebytes says that such efforts require intense investment and maintenance. "This kind of setup is not trivial to piece together or maintain, and law enforcement will be hoping a takedown of this magnitude will make others think twice before immersing themselves in large-scale ad fraud," he says.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.