The FBI, Google, and 20 tech industry partners have collaborated to take down a giant cyber-criminal network involved in generating fake ad views and clicks that have been used to defraud ad networks and advertisers for the past four years and make millions in illicit revenue for the scheme's perpetrators.
Besides a coordinated intervention to take down several of the criminal scheme's botnets, the US Department of Justice also announced a 13-count indictment against eight suspects believed to be behind this operation, three of whom are already under arrest and awaiting extradition to the US.
The 3ve ad fraud scheme
According to a DOJ indictment and a white paper released by Google and cyber-security firm White Ops, the eight suspects are believed to be the main operators of an ad fraud scheme that the cyber-security and advertising industry has been tracking since last year under the codename of "3ve," and which is believed to have been active since at least 2014.
Investigators said that over time, the 3ve operators used different schemes to generate ad views and clicks, relying on a slew of tricks, such as renting other cybercrime botnets, creating their own botnets hosted on commercial data centers, hijacking IP address blocks, using proxies to hide real IP addresses, and even creating their own websites on which they displayed ads, to make sure that bots have ads to load and click on.
Based on observations or past practices, Google and industry partners have organized 3ve's operations in three subgroups, each with its own specifics.
3ve.1 --aka MethBot, Miuref, or Boaxxe
The first of this scheme, 3ve.1, has already been detailed in previous reports, albeit, at the time of its discovery, it wasn't yet known that it was only a small component of a larger operation.
Initially identified as MethBot (WhiteOps term) in first reports, but also tracked as the Miuref (Symantec term) or the Boaxxe (ESET term) botnets, the 3ve.1 operation was powered by a network of bots, all operating in a few data centers across the US and Europe.
These bots were simple scripts that ran on data center servers, which opened thousands of automated web browsers that used a proxy server to disguise the server's IP address and later loaded a desired website.
In the 3ve.1 scheme, crooks made money by running fake ad networks that received payments from other ad networks or advertisers when they displayed ads on real websites.
According to the FBI, the 3ve group used more than 1,900 servers housed in commercial data centers to host the MethBot/Miuref/Boaxxe bots that would load one of 5,000 counterfeit websites, which would load ads from advertisers, generating profits for the 3ve gang.
The bots were configured to mimic both dekstop and mobile traffic, and in some cases also clicked on ads, to spoof real user traffic and generated even more revenue for the 3ve gang.
Investigators say that when ad networks started detecting the group's campaign, the 3ve.1 subgroup began hijacking corporate and residential IP address blocks, which they temporarily assigned to their data center servers and proxies to mask their operations.
3ve.2 --the Kovter scheme
But as advertising networks started blacklisting the IP addresses associated with the 3ve.1 operations, crooks also diversified their scheme by renting "install space" offered by the operators of Kovter malware botnet.
Investigators say the 3ve gang deployed a custom bot on over 700,000 computers infected with the Kovter malware; bot that opened hidden browser windows to load websites operated by the 3ve gang, generating profits in a similar manner as the 3ve.1 subgroup, but using malware-infected PCs instead of data center-hosted bots.
3ve.3 --3ve.1, with a twist
The third scheme was almost identical to the first, with two main differences. The first was that crooks used a far smaller amount of data center bots, and second, 3ve operators rented other data center servers to use as proxies instead of hijacking IP addresses from residential networks.
"Although easier to detect, this approach allowed them to commit ad fraud more efficiently -- data centers can offer greater bandwidth than hundreds of thousands of residential computers," Google said in its report.
In a blog post today, Google revealed that it became aware of 3ve's full capabilities and operations last year, and as its investigations progressed, it became aware that other ad platforms and cyber-security firms were also looking at the same operation. Google said it put together a working group with several industry partners to coordinate a takedown of 3ve's entire network.
Some of the infosec and ad industry's biggest players were invited, such as Microsoft, ESET, Symantec, Proofpoint, Trend Micro, F-Secure, Malwarebytes, CenturyLink, MediaMath, White Ops, Amazon, Adobe, Trade Desk, Oath, The Shadowserver Foundation, and the National Cyber-Forensics and Training Alliance.
DOJ indictments, arrests, and 3ve takedown
Law enforcement was also invited, which resulted in today's DOJ indictment, naming six Russian nationals and two from Kazakhstan as the main 3ve operators.
The names of these eight initial suspects are Aleksandr Zhukov (38, Russia), Boris Timokhin (39, Russia), Mikhail Andreev (34, Russia), Denis Avdeev (40, Russia), Dmitry Novikov (??, Russia), Sergey Ovsyannikov (30, Kazakhstan), Aleksandr Isaev (31, Russia), and Yevgeniy Timchenko (30, Kazakhstan).
Three have already been apprehended at the US' behest. Zhukov was arrested earlier this month in Bulgaria, Timchenko in Estonia, and Ovsyannikov in Malaysia (last month). The remaining defendants are at large, according to US officials, and international arrest warrants have been issued in their names.
But besides arrests, the FBI also obtained seizure warrants authorizing its investigators to take control of 31 internet domains and 89 servers that have been used to manage the 3ve infrastructure.
According to a chart Google shared today, the impact in fraudulent ad placement requests dropped immediately as the FBI and fellow cyber-security firms started blacklisting and sinkholing the 3ve infrastructure.
Google says that at its peak, the 3ve operation generated over three billion fraudulent daily ad bid requests, employed over 60,000 accounts selling fraudulent ad inventories, operated over 10,000 counterfeit websites for the sole purpose of showing ads, ran over 1,000 data center servers, and controlled over one million IP addresses for hiding the various 3ve bots.
While Google hasn't posted an official number, financial damages to advertisers are believed to be in the range of millions of US dollars.