This article originally appeared in E-Commerce Times on November 29, 2018.
The U.S. Department of Justice on Tuesday revealed an unsealed indictment of eight defendants for crimes related to their involvement in widespread digital advertising fraud.
“If all players along the digital ad supply chain were to closely watch what is rendered to users, thwarting any unauthorized code, the impact of cybercrime rings like 3ve would be drastically reduced.”
The DoJ alleges the eight individuals were behind two global schemes, 3ve (pronounced “eve”) and Methbot, which stole tens of millions of dollars through a scam that used fake Web traffic and fake websites to reap ad view revenue from unwitting advertisers.
“These individuals built complex, fraudulent digital advertising infrastructure for the express purpose of misleading and defrauding companies who believed they were acting in good faith, and costing them millions of dollars,” said FBI Assistant Director-in-Charge William F. Sweeney.
Charged in the indictment are Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev and Yevgeniy Timchenko.
Ovsyannikov was arrested last month in Malaysia, according to the DoJ. Zhukov was arrested earlier this month in Bulgaria, and Timchenko was nabbed in Estonia. The remaining defendants remain are at large.
No More Whac-A-Mole
A broad coalition of 20 tech companies — embracing ad tech, security and Internet infrastructure — assisted the DoJ in taking down the 3ve and Methbot networks. Google and bot-detection firm White Ops spearheaded the effort. “Too often, the fight against fraud seems like a game of Whac-A-Mole,” said White Ops CEO Sandeep Swadia.
“Fraudsters, when discovered but not caught, can go underground, only to pop up across the street later. This time it was different,” he added.
“While ad fraud traditionally has been seen as a faceless crime in which bad actors don’t face much risk of being identified, or consequences for their actions, 3ve’s takedown demonstrates that there are risks and consequences to committing ad fraud,” noted Google Ad Traffic Quality Product Manager Per Bjorke.
Fraud operations like 3ve bring distrust and instability to the Internet by compromising everyday people’s computers, stealing from businesses, and robbing content publishers, Swadia pointed out.
“The dismantling of 3ve, along with law enforcement’s actions to hold the individuals accountable, is an important milestone for the digital advertising ecosystem and for billions of humans who rely on a safe and open Internet,” he said.
$7M in False Ads
Methbot was a data-center based scheme, according to the DoJ.
More than 1,900 servers at commercial data centers in Dallas, Texas, and elsewhere loaded ads on fabricated websites that spoofed more than 5,000 domains.
To create the illusion of real Internet use, the servers were programmed to mimic real human activity — browsing the Internet through a fake browser, using a fake mouse to move around and scroll down a Web page, starting and stopping a video player, and falsely appearing to be signed into Facebook.
In addition, 650,000 IP addresses were leased. Multiple IP addresses were assigned to each data center server, which created the appearance that the servers were residential computers belonging to individual users.
As a result of the scheme, billions of ad views were falsified and businesses paid more than US$7 million for ads that never were viewed by people, according to the Justice Department.
‘Remarkably Sophisticated’ Scam
3ve was comprised of three complex sub-operations, each designed to evade detection, White Ops explained.
The operators behind 3ve built an intricate and evasive system by exploiting various techniques, such as infecting everyday users’ computers, remotely controlling hidden browsers, stealing corporate IP addresses, and counterfeiting websites.
3ve generated revenue by selling ad spaces on counterfeit premium websites and sending fake audiences to real websites.
“3ve was remarkably sophisticated,” White Ops CTO Tamer Hassan said. “It showed every indication of a well-organized engineering operation with best practices in software development. It exhibited reliability, resilience and scale, rivaling many state-of-the-art software architectures.”
That kind of attention to detail usually is limited to high-reward crime, and ad fraud certainly is that. It’s estimated to rake in anywhere from $6 billion to $20 billion a year, and it could reach $44 billion by 2022.
“Well-funded and organized criminal rings are doing this,” said Mike Zaneis, CEO of the Washington, D.C.-based Trustworthy Accountability Group, or TAG, which operates a digital advertising certification program.
“It’s not some individual in their basement — they are very sophisticated,” he told the E-Commerce Times.
“Years ago, these attacks were easy to identify,” Zaneis continued. “Now criminals are very studious about studying human behavior and having their bots act like humans online.”
Among the victims of ad fraud are companies that have to pay for every user who views their ads.
“Normally the expectation is ad viewing would generate leads for a product which would ultimately lead to sales,” explained Chris Morales, head of security analytics at Vectra, a provider of automated threat management solutions based in San Jose, California.
“Every company has a budget for online ads, and this type of scheme would cannibalize that budget with no return on leads or sales,” he told the E-Commerce Times.
Consumers can be victims, too.
“Ultimately, the victims are consumers whose sensitive information is invariably stolen,” said Chris Olson, CEO of The Media Trust, a digital security company in McLean, Virginia.
“However, the entire industry loses from any drop in consumer trust in digital online advertising,” he told the E-Commerce Times. “Most, if not all, businesses today use digital assets like sites, mobile apps, and online ads as major touchpoints with their markets. When the trust dries up, so will the revenue.”
Impact on Fraud
With the takedown of 3ve and Methbot, the Justice Department has sent a message to cybercriminals that the United States takes ad fraud seriously, observed Rusty Carter, vice president for product management at Arxan Technologies, an application protection company in San Francisco.
“This may reduce ad fraud until better methods for remaining undetected are developed by the attackers, or they find more attractive targets,” he told the E-Commerce Times.
As more prosecutions for ad fraud are won, the barrier for entry will get higher for hackers, observed Maggie Louie, CEO of Devcon, a cybersecurity software company in Memphis, Tennessee.
“It will also educate young hackers — script kiddies who don’t think this is a crime — that this is very much a crime,” she told the E-Commerce Times.
Attacking Root Causes
The 3ve and Methbot operation can have an impact beyond taking out of play a global cybercriminal organization. It can act as a template for fighting online fraud.
“This type of collaboration is a powerful way to clean up the digital ecosystem,” The Media Trust’s Olson said.
However, advertising fraud is a symptom of a larger challenge that collaborators should address if they want to attack the root of the problem, he continued. That is the presence of unchecked and often unknown third-party code upon which bots are built.
“If all players along the digital ad supply chain were to closely watch what is rendered to users, thwarting any unauthorized code, the impact of cybercrime rings like 3ve would be drastically reduced,” Olson explained.
Advertising fraud is part of the larger botnet problem, said Vectra’s Morales.
“Botnets are often rented out for multiple uses, including ad fraud, denial of service attacks, and cryptomining,” he said.
They’re also used to generate false enthusiasm about products.
“We know that for the last few years, ‘click farms’ across southeast Asia have been programming thousands of mobile devices to generate massive numbers of automated fake ratings,” noted Franklyn Jones, CMO of Cequence Security, a Sunnyvale, California, maker of automated digital security solutions.
“If unscrupulous vendors commission automated bots to generate significant numbers of positive reviews for their crappy products,” he told the E-Commerce Times, “consumers that buy those products become victims, while legitimate vendors with quality products also become victims due to lost revenue opportunities.”
Partnerships between tech companies and law enforcement to fight online crime have become more common, and with good reason.
“Public-private partnerships are the best way to address these issues,” observed Sasha Hellberg, manager of threat research at Trend Micro, a cybersecurity solutions provider headquartered in Tokyo.
“These attacks pass through service providers — ISPs, vendors and others — before potentially affecting an end user. That makes the service provider a victim of the attack as well,” she told the E-Commerce Times.
“Therefore, having a service provider add their view on the attack — while maintaining their customers’ privacy — to assist law enforcement agencies is highly beneficial, Hellberg said, “just as any other witness of a crime. In this case, the witness just happens to be cyber-based.”
Public-private cooperation is highly important to fighting future large scale cyberattacks,” Morales noted.
“The private sector has the technology and capabilities, while the public sector has the jurisdiction and global visibility,” he said. “By working together, it is far easier to detect and respond to this level of global cybercrime.”