The US Department of Justice has indicted eight people in relation to the takedown of two international cybercrime rings: botnet operation 3ve and data center-based scheme Methbot. The takedown was organized and conducted by the US government along with private sector companies including Google, White Ops, Proofpoint, Malwarebytes, and ESET.
Methbot, an online ad fraud operation run by Russian cybercriminals, was discovered in 2016 by White Ops. The scheme totaled between $3 million and $5 million in daily losses from major US advertisers as attackers pretended to be from major US media platforms: ESPN, Fortune, CBS Sports, and others. At the time it was unveiled, Methbot had been operating for three years.
3ve, another ad fraud scheme, didn't pose a major threat when it was spotted by Google researchers analyzing Methbot's effects. It appeared as a low-volume bot operation conducting ad fraud through residential computers, which were infected with unknown malware.
However, 3ve grew in 2017 and later generated billions of daily ad requests. At its peak, researchers estimate it drove between 3 billion and 12 billion (potentially more) daily ad bid requests. 3ve compromised 1 million IPs and had up to 700,000 active infections at a time, and 60,000 or more accounts selling ad inventory. It counterfeited 10,000 websites and had 1,000 or more data center nodes.
"3ve was a global, complex family of fraud operations, each designed to evade detection," says Tamer Hassan, cofounder and CTO at White Ops. "It took a historic cross-industry alliance to come together to hunt for and dismantle 3ve."
Typical ad fraud operations aim for simplicity by zeroing in on one aspect of digital advertising; for example, creating and selling bot traffic to publishers who want more eyes on their sites. Researchers dubbed this operation "3ve" because it was made up of three sub-operations. All shared similar traits but were built to perform different types of ad fraud.
Across 3ve, operators employed several tactics to look for as many devices and users as possible, increase ad fraud, and avoid detection. It made its money by fabricating two things advertisers demand, Hassan says: prestigious publisher content in programmatic advertising, and visitors to real publishers' websites.
"While all three sub-operations shared common characteristics and infrastructure, they varied in size, monetization strategy, and launch points," he continues. "3ve had remarkable ability to shapeshift, churning up [30,000 to 40,000 IPs per day] and deploying sophisticated evasive detection measures. The result was that if one aspect of its operation was disrupted, the other could flourish."
3ve was designed to infect users' machines, remotely control hidden browsers, steal corporate IP addresses, and run fake websites. It generated revenue by selling ad space on fake premium sites and sending fake viewers to real sites, White Ops researchers explain in a report.
Further analysis led experts to two malware families: Boaxxe/Miuref and Kovter.
Boaxxe malware, as explained by US-CERT, is spread via email attachments and drive-by downloads. The operation using Boaxxe is located in a data center, where hundreds of machines browse counterfeit websites. When fake webpages are loaded in a browser, requests are made to place ads on those pages. Data center devices used Boaxxe to make requests for ads; a command-and-control (C2) server told infected machines to make ad requests to hide the data center's location.
Kovter malware is also spread via email attachments and drive-by downloads, and uses the Kovter botnet, which runs a hidden Chromium Embedded Framework (CEF) browser on infected machines. A C2 server instructs devices to visit fake webpages in the hidden browser and requests that ads be placed on those sites. Infected devices receive and upload ads.
"The malware used here – Kovter – has been around in various incarnations for some time," says Chris Dawson, threat intelligence lead at Proofpoint. "It is most significant for its anti-analysis features, as well as its ability to replicate human clicks and interactions on both fake and legitimate ad-hosting pages." Anti-analysis features, he says, make it hard to observe.
Google researchers say the malware used anti-forensics to scan hardware, processes, username, and IP address to detect and avoid security software. It was receiving and executing fraud instructions on computers with certain ISPs, in certain geographical areas. Operators created an infrastructure of C2 servers to monitor infected machines and check for security.
"By using this infrastructure, the defendants accessed more than 1.7 million infected computers, belonging to ordinary individuals and businesses in the United States and elsewhere, and used hidden browsers on those infected computers to download fabricated webpages and load ads onto those fabricated webpages," explains the DoJ in a statement.
3ve employed several techniques to bypass detection. In addition to its anti-forensics technique, it mimicked human behavior (fake clicks, mouse movements), evaded tags, quickly regenerated its residential IP addresses, and did not have a single point of failure.
How the Takedown Went Down
Some bots are taken down when all their known IP addresses are blacklisted. However, 3ve was so aggressive, and could so quickly acquire new IP addresses, that they determined a blacklist would only temporarily disrupt its activity. A full takedown would involve better understanding of 3ve's structure and broader industry collaboration, Google researchers explain.
In all, nearly 20 companies spanning ad tech, cybersecurity, and Internet infrastructure worked together to bring down 3ve. To prevent the threat from recurring, players had to collectively investigate the operation and map out its infrastructure and monetization strategy. They spent months observing 3ve's activities, understanding its malware, and evaluating its impact.
The coordinated takedown disrupted as much infrastructure as possible to prevent rebuilding the botnet. Analysis shows traffic has declined, a sign the disruption has been successful – within 18 hours of starting, the takedown had brought the ad bid request traffic close to zero.
While certain elements of the takedown can't be shared publicly, says Dawson, a key component was the sinkholing of command-and-control domains used by 3ve to direct botnet and server-side operations. This blocked communication between nodes and the C2 infrastructure, especially between 700,000 infected machines in its second sub-operation.
"3ve was a first of its kind in its global reach and continuous innovation," says Hassan. "It won't be the last." The way to win the war against bot operators, he explains, he to reduce profitability, increase costs, and create consequences that increase risk and deter criminals.
Don't Do the Crime If You Can't …
Eight defendants were indicted today in relation to the 3ve and Methbot operations. Charges include wire fraud, computer intrusion, aggravated identity theft, and money laundering. Most of those indicted are from Russia; two are from Kazakhstan. At the time of writing, three of the alleged perpetrators have been arrested and five remain at large.
"Because we involved law enforcement, this is the first time consequences of this magnitude have been created for ad fraud," says Hassan. "Fraudsters, when discovered but not caught, can go underground, only to pop up across the street later. This time it was different."
He hopes fraudsters will think twice before building operations of this magnitude in the future.
Google has published guidance on how to prevent more attacks like this from happening in the future. First up is to create and adopt industry standards like ads.txt, which prevents domain spoofing by letting publishers create public records of "Authorized Digital Sellers." The idea is to make it easy to learn which parties can sell a certain publisher's ad inventory, and which aren't.
Beyond that, there are measurements advertisers can use to make sure the ad fraud solution in place is working. "If it seems too good to be true, it probably is," Google researchers point out. Advertisers and publishers should take a layered approach and use in-house defenses and third-party verification to watch for bot traffic and ad fraud.
Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.