The FBI, Google and a host of cybersecurity companies have combined to take down a botnet ad fraud operation that made nearly $30m in illegal online advertisement activities.

The cybercrime gang, known as ‘3ve’ (pronounced ‘eve’), hijacked 1.7 million devices to direct the compromised IP addresses to selected ads.

3ve ran these ads for companies under the pretence the traffic was from real visitors.

Eight of the men behind the scheme now face charges. Three of those have been arrested and five remain at large.

The operation involved the FBI searching 89 servers and sinkholing 31 domains. They also seized bank accounts connected with the group.

The takedown was announced yesterday by the US Department of Justice. The result is unusual in that botnets tend to be a low-risk activity for cybercriminals.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

How did the botnet ad fraud operation work?

To carry out the scam, 3ve created two different botnets by spreading malware known as Kovter and Boaxxe to individuals via spam emails and drive-by downloads.

“3ve blasts out failed delivery notification spam, which is a common attack vector these days,”  explained Paivi Tynninen, a reasercher for cybersecurity company F-Secure, which played a supporting role in the investigation.

“Users open an attachment or click a link and end up infected with Kovter, Boaxxe or even both.

“3ve also uses malvertising that redirects users to fake software updates and tricks victims into installing Kovter, which is a fairly popular social engineering tactic.”

Ad fraud is expected to cost advertisers $19bn this year, with that figure expected to rise as high as $150bn by 2025, according to the World Federation of Advertisers.

“Ad fraud might not feel like a very pressing issue. But it costs a lot of businesses a lot of money, and those costs eventually get fed back to consumers,” said F-Secure security advisor Sean Sullivan.

“That makes these kinds of takedown operations beneficial to not just companies or advertisers, but pretty much everyone.”

It is also difficult to say whether 3ve have been disrupted enough to be gone for good.

“Most modern botnets have pretty sophisticated backends that are extremely resistant to takedown attempts.

“Infected PCs can be used to begin rebuilding, so it’s really important that individuals check their PCs and remove the malware if they discover an infection,” explained Sullivan.

Read more: Cyber security trends for 2019