The FBI, Google and a host of cybersecurity companies have combined to take down a botnet ad fraud operation that made nearly $30m in illegal online advertisement activities.
The cybercrime gang, known as ‘3ve’ (pronounced ‘eve’), hijacked 1.7 million devices to direct the compromised IP addresses to selected ads.
3ve ran these ads for companies under the pretence the traffic was from real visitors.
Eight of the men behind the scheme now face charges. Three of those have been arrested and five remain at large.
The operation involved the FBI searching 89 servers and sinkholing 31 domains. They also seized bank accounts connected with the group.
The takedown was announced yesterday by the US Department of Justice. The result is unusual in that botnets tend to be a low-risk activity for cybercriminals.
How did the botnet ad fraud operation work?
To carry out the scam, 3ve created two different botnets by spreading malware known as Kovter and Boaxxe to individuals via spam emails and drive-by downloads.
“3ve blasts out failed delivery notification spam, which is a common attack vector these days,” explained Paivi Tynninen, a reasercher for cybersecurity company F-Secure, which played a supporting role in the investigation.
“Users open an attachment or click a link and end up infected with Kovter, Boaxxe or even both.
“3ve also uses malvertising that redirects users to fake software updates and tricks victims into installing Kovter, which is a fairly popular social engineering tactic.”
“Ad fraud might not feel like a very pressing issue. But it costs a lot of businesses a lot of money, and those costs eventually get fed back to consumers,” said F-Secure security advisor Sean Sullivan.
“That makes these kinds of takedown operations beneficial to not just companies or advertisers, but pretty much everyone.”
It is also difficult to say whether 3ve have been disrupted enough to be gone for good.
“Most modern botnets have pretty sophisticated backends that are extremely resistant to takedown attempts.
“Infected PCs can be used to begin rebuilding, so it’s really important that individuals check their PCs and remove the malware if they discover an infection,” explained Sullivan.
Read more: Cyber security trends for 2019