Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security //

Botnet

11/28/2018
08:15 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

Feds Charge 8 in Large-Scale Ad Fraud & Botnet Scheme

The Justice Department has charged eight people with operating a large-scale ad fraud scheme that involved a pair of botnets based on malware dubbed Kovter and Boaxxe.

The US Justice Department has charged eight people in a massive ad fraud scheme that netted the group millions of dollars and used sophisticated botnets based on two different kinds of malware dubbed Kovter and Boaxxe.

The 13-count indictment was announced by the US Attorney's Office for the Eastern District of New York and unsealed on November 27. Of the eight people named in the document, three are in custody and are awaiting extradition to the US.

Together, this group, which is also known as "3ve," operated two different ad network schemes that defrauded various companies out of approximately $36 million in revenue between September 2014 and October 2018.

The scheme included two different fraudulent ad networks. In both cases, the group convinced companies to place ads with them that would appears on various websites. Instead, fraudulent sites were created and the "people" clicking the ads were only machines programmed to imitate consumer behavior.

"The defendants faked both the users and the webpages: they programmed computers they controlled to load advertisements on fabricated webpages, via an automated program, in order to fraudulently obtain digital advertising revenue," according to Tuesday's indictment.

The first ad network, which prosecutors called "The Datacenter-based Scheme," involved 1,900 different servers rented in Dallas and other locations. These computers helped load legitimate ads on fraudulent websites, which then actually spoofed more than 5,000 different domains.

In addition, these servers were used to imitate real human behavior on the Internet, including "browsing the internet through a fake browser, using a fake mouse to move around and scroll down a webpage, starting and stopping a video player midway, and falsely appearing to be signed into Facebook," according to the indictment.

Finally, the group leased about 650,000 different IP addresses, assigned those addresses to the servers and then registered those addresses to give the appearance of customers belonging to different ISPs.

This part of the scam ran for two years and the group collected about $7 million from the ad clicks it generated, according to the indictment.

The second fraudulent ad network, called "The Botnet-Based Scheme," involved the two botnets based on the malware known as Kovter and Boaxxe. In this case, the bots infected more than 1.7 million PCs in the US and elsewhere.

In both cases, Kovter and Boaxxe are spread through email attachments and drive-by downloads, according to the US Computer Emergency Response Team (US-CERT), which issued its own alert about the fraud on the same day the indictment was unsealed. In both cases, the malware is controlled by a command-and-control server, which sends instructions.

Once the botnets gained control of the PCs, the malware would create a hidden browser that downloaded fabricated webpages and then load ads onto those webpages. Prosecutors suspect that the scheme produced billions of fraudulent ad clicks and netted the group $29 million in false advertising revenue during a three-year period.

Eventually, FBI agents gained warrants to investigate the scheme and redirected traffic from different domains -- known as sinkholing -- in order to shut down the botnets. Authorities also seized 89 different physical servers.

In addition to the US Justice Department, the FBI, New York City Police, authorities noted that Google, Microsoft, Trend Micro and various other tech vendors participated in the case. In a whitepaper about the group, Google and White Ops researchers noted that at its peak, these botnets could produce between 3 billion and 12 billion ad clicks each day.

The eight indicted individuals are: Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev and Yevgeniy Timchenko. The charges against them include wire fraud, computer intrusion, aggravated identity theft and money laundering.

Of the eight, Ovsyannikov was arrested in October in Malaysia; Zhukov was arrested earlier this month in Bulgaria; and Timchenko was arrested a few weeks ago in Estonia. They are all awaiting extradition to face charges in the US. It's not known where the other five are as of now.

In the indictment, the Justice Department believes that Ovsyannikov, Timchenko and Isaev were primarily responsible for the network that used the two botnets. However, Zhukov, Timokhin, Denis Andreev, Mikhail Avdeev and Novikov, along with Ovsyannikov, oversaw the data center scheme.

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12777
PUBLISHED: 2020-08-10
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
CVE-2020-12778
PUBLISHED: 2020-08-10
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
CVE-2020-12779
PUBLISHED: 2020-08-10
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
CVE-2020-12780
PUBLISHED: 2020-08-10
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
CVE-2020-12781
PUBLISHED: 2020-08-10
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.