Massive ad fraud network that leveraged Kovter shut down and eight hackers apprehended

• The ad fraud network compromised IP addresses in North America and Europe.
• Operators had divided 3ve’s operation into three subgroups - 3ve.1, 3ve.2, 3ve.3.

In a major law enforcement crackdown, the FBI has dismantled a massive online advertising scam network that resulted in the loss of over $36 million. Dubbed ‘3ve’, the fraudulent operation was active since 2014 and saw large-scale expansion in 2017.

At one point of time, the Kovter ad fraud network was discovered to have have compromised IP addresses across North America and Europe. At its peak, the 3ve operation controlled over one million IPs.

According to a DOJ indictment and a white paper published by Google and White Ops, the fraud ad campaign was operated by eight suspects. The campaign thrived on malware infections, Border Gateway Patrol (BGP) hijacking, fake domains and websites. It aimed to generate between $3 to $12 billion every day.

Investigators said that the 3ve operators carried out the operation using three different schemes to generate ad views and clicks. Researchers found that the cybercriminals had divided 3ve’s operation into three subgroups - 3ve.1, 3ve.2, 3ve.3. The group relied on a combination of data centers and botnets to avoid detection and drive false traffic to their malicious webpages.

About the three subgroups

3ve.1 also called as MethBot, Miuref or the Boaxxe, was powered by a network of bots. The scheme targeted a few data centers located across the US and Europe. Boaxxe botnet and BGP hijacking were primarily used in this model to obtain proxy IP addresses and later load desired websites on them.

This enabled the crooks to make money by running fake ad requests in European and US data centers. According to the FBI, more than 1,900 servers, housed in commercial data centers, were used to host the MethBot/, Miuref/Boaxxe bots, that would load one of 5,000 fake websites.

The 3ve.2 scheme also used counterfeit domains to sell fake ads. However, unlike 3ve.1, which relies on botnets, 3ve.2 used a custom-built browsing engine that installed the Kovter botnet. Google found that the Kovter botnet was deployed on approximately 700,000 computers, generating profits similar to the 3ve.1 campaign.

Meanwhile, the 3ve.3 scheme used data center-based bots to commit ad fraud efficiently. The cybercriminals operating the ad fraud network allegedly generated $7 million using the 3ve.1 scheme, between September 2014 and December 2016. The second, 3ve.2 made $29 million between December 2015 and October 2018.

The eight suspects arrested by the FBI are Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev, and Yevgeniy Timchenko. They have face several charges, including wire fraud, computer intrusion, aggravated theft and money laundering.

Besides arresting the culprits, the FBI has also seized 31 domains and information from 89 servers that were part of the 3ve operation.