Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security //

Botnet

11/28/2018
08:15 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

Feds Charge 8 in Large-Scale Ad Fraud & Botnet Scheme

The Justice Department has charged eight people with operating a large-scale ad fraud scheme that involved a pair of botnets based on malware dubbed Kovter and Boaxxe.

The US Justice Department has charged eight people in a massive ad fraud scheme that netted the group millions of dollars and used sophisticated botnets based on two different kinds of malware dubbed Kovter and Boaxxe.

The 13-count indictment was announced by the US Attorney's Office for the Eastern District of New York and unsealed on November 27. Of the eight people named in the document, three are in custody and are awaiting extradition to the US.

Together, this group, which is also known as "3ve," operated two different ad network schemes that defrauded various companies out of approximately $36 million in revenue between September 2014 and October 2018.

The scheme included two different fraudulent ad networks. In both cases, the group convinced companies to place ads with them that would appears on various websites. Instead, fraudulent sites were created and the "people" clicking the ads were only machines programmed to imitate consumer behavior.

"The defendants faked both the users and the webpages: they programmed computers they controlled to load advertisements on fabricated webpages, via an automated program, in order to fraudulently obtain digital advertising revenue," according to Tuesday's indictment.

The first ad network, which prosecutors called "The Datacenter-based Scheme," involved 1,900 different servers rented in Dallas and other locations. These computers helped load legitimate ads on fraudulent websites, which then actually spoofed more than 5,000 different domains.

In addition, these servers were used to imitate real human behavior on the Internet, including "browsing the internet through a fake browser, using a fake mouse to move around and scroll down a webpage, starting and stopping a video player midway, and falsely appearing to be signed into Facebook," according to the indictment.

Finally, the group leased about 650,000 different IP addresses, assigned those addresses to the servers and then registered those addresses to give the appearance of customers belonging to different ISPs.

This part of the scam ran for two years and the group collected about $7 million from the ad clicks it generated, according to the indictment.

The second fraudulent ad network, called "The Botnet-Based Scheme," involved the two botnets based on the malware known as Kovter and Boaxxe. In this case, the bots infected more than 1.7 million PCs in the US and elsewhere.

In both cases, Kovter and Boaxxe are spread through email attachments and drive-by downloads, according to the US Computer Emergency Response Team (US-CERT), which issued its own alert about the fraud on the same day the indictment was unsealed. In both cases, the malware is controlled by a command-and-control server, which sends instructions.

Once the botnets gained control of the PCs, the malware would create a hidden browser that downloaded fabricated webpages and then load ads onto those webpages. Prosecutors suspect that the scheme produced billions of fraudulent ad clicks and netted the group $29 million in false advertising revenue during a three-year period.

Eventually, FBI agents gained warrants to investigate the scheme and redirected traffic from different domains -- known as sinkholing -- in order to shut down the botnets. Authorities also seized 89 different physical servers.

In addition to the US Justice Department, the FBI, New York City Police, authorities noted that Google, Microsoft, Trend Micro and various other tech vendors participated in the case. In a whitepaper about the group, Google and White Ops researchers noted that at its peak, these botnets could produce between 3 billion and 12 billion ad clicks each day.

The eight indicted individuals are: Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev and Yevgeniy Timchenko. The charges against them include wire fraud, computer intrusion, aggravated identity theft and money laundering.

Of the eight, Ovsyannikov was arrested in October in Malaysia; Zhukov was arrested earlier this month in Bulgaria; and Timchenko was arrested a few weeks ago in Estonia. They are all awaiting extradition to face charges in the US. It's not known where the other five are as of now.

In the indictment, the Justice Department believes that Ovsyannikov, Timchenko and Isaev were primarily responsible for the network that used the two botnets. However, Zhukov, Timokhin, Denis Andreev, Mikhail Avdeev and Novikov, along with Ovsyannikov, oversaw the data center scheme.

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.