3ve Ad-Fraud Botnet with Billions of Daily Ad Requests Shut Down

A massive ad-fraud operation that caused tens of millions of dollars in losses has been dismantled. The illegal business at one point controlled more than one million compromised IP addresses in North America and Europe.

Dubbed 3ve (pronounced “Eve”), by Google and cybersecurity company WhiteOps, the fraudulent activity grew from a modest endeavor in 2017 to a large-scale business that thrived on malware infections,  Border Gateway Patrol (BGP) hijacking, fraudulent domains and websites to generate between 3 and 12 billion of daily ad bid requests at its peak.

Over the course of the investigation, 3ve operation handled at least 700,000 active infections at any given time, over 60,000 accounts that sold advertising space. It also forged more than 10,000 websites and exploited over 1,000 data center nodes. In its heyday, 3ve controlled more than one million IPs, with the number of unique addresses reaching 1.7 million.

The online advertising business

Online ads are dynamically supplied to viewers based on multiple indicators that also provide data on the available space, aka ad inventory, from the publishers (websites). The ad space is auctioned via Supply Side Platforms (SSP), which pass the information to the advertiser.

In their turn, advertisers rely on Demand Side Platforms (DSP) to make an offer for the ad space, taking into account the potential success of the campaign. Details like the popularity of the publisher and the type of audience and region exposed to the ads determine the price of the ad.

There are billions of such operations every day, and they happen before the page loads in the user’s web browser and the ad inventory can move between multiple auctions until it is matched with an advertiser.

3ve’s three-pronged ad-fraud approach

3ve’s game was to forge publisher inventory and the human interaction with the ads. By controlling these two components, the operation caused more than $29 million in losses to businesses that paid for fake traffic and ad views.

To avoid detection, the group behind 3ve relied on combinations of data centers and botnets that created fake ad inventory and drove false traffic to the pages.

A joint report from Google and ad-fraud fighting company WhiteOps reveals that one revenue stream came from bots operating in data centers in the US and Europe.

This model used the Boaxxe botnet, also known as Miuref, and BGP hijacking to obtain IP addresses for proxying the traffic from the machines in the data centers and visit both fake and real web pages.

At first, the fraudulent ad requests appeared to originate from desktop browsers but later the scheme started more and more to spoof mobile traffic from Android.

The second approach sold fake ad space on counterfeit domains. By using the Kovter botnet to deliver a custom browsing agent, proxies were no longer necessary as redirection servers pointed compromised systems to specific web pages.

In an alert today, the US-CERT says that the Kovter botnet fraud scheme runs a hidden Chromium Embedded Framework (CEF) browser on the compromised computer.

The third strategy observed with 3ve was also running the activity from data centers. It masked the real IP addresses of the bots by running the traffic through bots in other data centers.

Data centers are a red flag to advertisers worrying about fake traffic but the operators would switch to a new data center as soon as the old one was blocked.

“Although easier to detect, this approach allowed them to commit ad fraud more efficiently — data centers can offer greater bandwidth than hundreds of thousands of residential computers,” Google and WhiteOps explain.

3ve goes down, eight men indicted

Multiple entities working with law enforcement contributed to taking down the ad-fraud operation. Apart from Google and White Ops cybersecurity company, the efforts were assisted by Microsoft, CenturyLink, MediaMath, and cybersecurity outfits ESET, Symantec, Trend Micro, F-Secure, Malwarebytes, The Shadowserver Foundation and the National Cyber-Forensics and Training Alliance.

Bringing 3ve down was a long-term game with each step carefully planned to avoid negative impact on advertisers and publishers, and to ensure that the operation was destroyed in its entirety beyond any revival possibility.

This is why takedown efforts were combined with prosecution. The Department of Justice today unsealed a 13-count indictment against eight individuals involved in the 3ve scheme.

Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev, and Yevgeniy Timchenko have been charged with wire fraud, computer intrusion, aggravated identity theft, and money laundering.

Last month, the FBI seized 31 domains and information from 89 servers that were part of the 3ve infrastructure. Partners in the private sector helped sinkhole the traffic to the bad domains.

These actions led to significantly lower volumes of invalid traffic, with bid requests nearing zero in 18 hours after the coordinated takedown.