This article originally appeared in Threat Post on November 28, 2018.
The FBI has taken control of 31 web domains in a widespread takedown of a multi-year, global ad fraud campaign, believed to have stolen at least $38 million, partly via a botnet strategy.
In addition, eight defendants face a 13-count indictment from a federal court in Brooklyn in the case. The charges against Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev and Yevgeniy Timchenko include wire fraud, computer intrusion, aggravated identity theft and money laundering.
“While a lot of attention has been paid to the use of botnets … the most damning feature of these operations were the various malicious code that was deployed to infect computers, redirect traffic, etc.”
Ovsyannikov, Zhukov and Timchenko have been arrested and await extradition. The remaining defendants are at large.
The court also delivered search warrants authorizing the FBI to take information from 89 computer servers that served as infrastructure for the ad-fraud botnets behind the campaign. And, seizure warrants have been executed for multiple international bank accounts in Switzerland and elsewhere that were associated with the schemes, the court said.
“As alleged in court filings, the defendants in this case used sophisticated computer programming and infrastructure around the world to exploit the digital advertising industry through fraud,” said Richard Donoghue, U.S. Attorney for the Eastern District of New York, in a notice posted Tuesday. “This case sends a powerful message that this office, together with our law-enforcement partners, will use all our available resources to target and dismantle these costly schemes and bring their perpetrators to justice, wherever they are.”
The court filings allege that the defendants posed as operators of a legitimate ad network, capable of delivering ad impressions to advertisers coming from live human traffic. In reality, both the webpages and the traffic were fake, according to the court.
“They programmed computers they controlled to load advertisements on fabricated webpages, via an automated program, in order to fraudulently obtain digital advertising revenue,” the documents explained.
There were two campaigns involved in the operation. In one, which ran between September 2014 and December 2016, the defendants allegedly rented more than 1,900 computer servers housed in commercial datacenters (mainly in Dallas), and used those datacenter servers to load ads on fabricated websites, ultimately spoofing more than 5,000 domains. The group allegedly falsified billions of ad views and caused businesses to pay more than $7 million for ads that were never actually viewed by real human internet users.
“To create the illusion that real human internet users were viewing the advertisements loaded onto these fabricated websites, the defendants programmed the datacenter servers to simulate the internet activity of human internet users: browsing the internet through a fake browser, using a fake mouse to move around and scroll down a webpage, starting and stopping a video player midway, and falsely appearing to be signed into Facebook,” the court documents explained.
The defendants also allegedly leased more than 650,000 IP addresses, assigned multiple IP addresses to each datacenter server, and then fraudulently registered those IP addresses to make it appear that that the datacenter servers were residential computers belonging to individual human internet users who were subscribed to various residential ISPs.
Running parallel, between December 2015 and October 2018, the group carried out another digital ad fraud scheme, where a botnet network of more than 1.7 million malware-infected computers was used to download fabricated webpages and load ads onto them. In all, this effort – which made use of the Kovter malware, according to the court – allegedly falsified billions of ad views and caused businesses to pay more than $29 million for ads that were never actually viewed by humans.
“While a lot of attention has been paid to the use of botnets … the most damning feature of these operations were the various malicious code that was deployed to infect computers, redirect traffic, etc.,” said Mike Bittner, digital security and operations manager of The Media Trust, in an emailed statement. “The malware, which would check for user names, IP addresses, certain ISPs and geographical locations, as well as for any security software, is part of a new generation of malware designed to refrain from execution unless the right conditions are met. Not only does this capability enable the malware to escape detection, it also opens up victims’ machines and devices to later attacks.
“This underscores the importance of knowing who you do business with along the digital ad supply chain and of collaborating with them on identifying the underlying malicious code, which wreaks havoc on unknowing users and undermines the supply chain,” said Bittner. “Publishers and e-commerce sites that want to protect their digital assets and users from such campaigns should closely monitor all code that courses through their digital ecosystem, through continuous and real-time scanning; ensure all of them are authorized; and if not, work with their digital partners and third parties on terminating them at their source. At the end of the day, the malicious code is the real weapon and it can be stopped in its tracks.”
Ad fraud seems to be a theme this week: The news comes on the heels of Cheetah Mobile landing in the headlines for allegedly perpetrating ad fraud of its own.