theDocumentId => 747846 Feds Charge 8 in Large-Scale Ad Fraud & Botnet Scheme

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security //

Botnet

11/28/2018
08:15 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

Feds Charge 8 in Large-Scale Ad Fraud & Botnet Scheme

The Justice Department has charged eight people with operating a large-scale ad fraud scheme that involved a pair of botnets based on malware dubbed Kovter and Boaxxe.

The US Justice Department has charged eight people in a massive ad fraud scheme that netted the group millions of dollars and used sophisticated botnets based on two different kinds of malware dubbed Kovter and Boaxxe.

The 13-count indictment was announced by the US Attorney's Office for the Eastern District of New York and unsealed on November 27. Of the eight people named in the document, three are in custody and are awaiting extradition to the US.

Together, this group, which is also known as "3ve," operated two different ad network schemes that defrauded various companies out of approximately $36 million in revenue between September 2014 and October 2018.

The scheme included two different fraudulent ad networks. In both cases, the group convinced companies to place ads with them that would appears on various websites. Instead, fraudulent sites were created and the "people" clicking the ads were only machines programmed to imitate consumer behavior.

Overview of the 3ve operation\r\n(Source: Google and White Ops)\r\n
Overview of the 3ve operation
\r\n(Source: Google and White Ops)\r\n

"The defendants faked both the users and the webpages: they programmed computers they controlled to load advertisements on fabricated webpages, via an automated program, in order to fraudulently obtain digital advertising revenue," according to Tuesday's indictment.

The first ad network, which prosecutors called "The Datacenter-based Scheme," involved 1,900 different servers rented in Dallas and other locations. These computers helped load legitimate ads on fraudulent websites, which then actually spoofed more than 5,000 different domains.

In addition, these servers were used to imitate real human behavior on the Internet, including "browsing the internet through a fake browser, using a fake mouse to move around and scroll down a webpage, starting and stopping a video player midway, and falsely appearing to be signed into Facebook," according to the indictment.

Finally, the group leased about 650,000 different IP addresses, assigned those addresses to the servers and then registered those addresses to give the appearance of customers belonging to different ISPs.

This part of the scam ran for two years and the group collected about $7 million from the ad clicks it generated, according to the indictment.

The second fraudulent ad network, called "The Botnet-Based Scheme," involved the two botnets based on the malware known as Kovter and Boaxxe. In this case, the bots infected more than 1.7 million PCs in the US and elsewhere.

In both cases, Kovter and Boaxxe are spread through email attachments and drive-by downloads, according to the US Computer Emergency Response Team (US-CERT), which issued its own alert about the fraud on the same day the indictment was unsealed. In both cases, the malware is controlled by a command-and-control server, which sends instructions.

Once the botnets gained control of the PCs, the malware would create a hidden browser that downloaded fabricated webpages and then load ads onto those webpages. Prosecutors suspect that the scheme produced billions of fraudulent ad clicks and netted the group $29 million in false advertising revenue during a three-year period.

Eventually, FBI agents gained warrants to investigate the scheme and redirected traffic from different domains -- known as sinkholing -- in order to shut down the botnets. Authorities also seized 89 different physical servers.

In addition to the US Justice Department, the FBI, New York City Police, authorities noted that Google, Microsoft, Trend Micro and various other tech vendors participated in the case. In a whitepaper about the group, Google and White Ops researchers noted that at its peak, these botnets could produce between 3 billion and 12 billion ad clicks each day.

The eight indicted individuals are: Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev and Yevgeniy Timchenko. The charges against them include wire fraud, computer intrusion, aggravated identity theft and money laundering.

Of the eight, Ovsyannikov was arrested in October in Malaysia; Zhukov was arrested earlier this month in Bulgaria; and Timchenko was arrested a few weeks ago in Estonia. They are all awaiting extradition to face charges in the US. It's not known where the other five are as of now.

In the indictment, the Justice Department believes that Ovsyannikov, Timchenko and Isaev were primarily responsible for the network that used the two botnets. However, Zhukov, Timokhin, Denis Andreev, Mikhail Avdeev and Novikov, along with Ovsyannikov, oversaw the data center scheme.

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32686
PUBLISHED: 2021-07-23
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and ...
CVE-2021-32783
PUBLISHED: 2021-07-23
Contour is a Kubernetes ingress controller using Envoy proxy. In Contour before version 1.17.1 a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy rem...
CVE-2021-3169
PUBLISHED: 2021-07-23
An issue in Jumpserver 2.6.2 and below allows attackers to create a connection token through an API which does not have access control and use it to access sensitive assets.
CVE-2020-20741
PUBLISHED: 2021-07-23
Incorrect Access Control in Beckhoff Automation GmbH & Co. KG CX9020 with firmware version CX9020_CB3011_WEC7_HPS_v602_TC31_B4016.6 allows remote attackers to bypass authentication via the "CE Remote Display Tool" as it does not close the incoming connection on the Windows CE side if t...
CVE-2021-25808
PUBLISHED: 2021-07-23
A code injection vulnerability in backup/plugin.php of Bludit 3.13.1 allows attackers to execute arbitrary code via a crafted ZIP file.