Biggest Ad-Fraud Operations '3ve' Shut Down by FBI and Tech Giants

One of the biggest online fraud which caused the loss of millions of dollars has been finally shut down. Google along with FBI and other security firm WhiteOps worked together to take down this multimillion-dollar ad-fraud operation dubbed as "3eve".

3ve can be pronounced as 'Eve' is the online fraud campaign which grew in 2017, turning to the large-scale business that thrived on malware infections, Border Gateway Patrol (BGP) hijacking, fraudulent domains and websites, generate more than $30 million in profit.
WhiteOps researcher said 3ve handled at least 700,000 active infections at any given time, over 60,000 accounts that sold advertising space. It also forged more than 10,000 websites and exploited over 1,000 data centre nodes. For all these 3ve performed different tasks like- creating own botnets hijack Border Gateway Patrol (BGP) IP address, use proxies and infect users computers with malware - to generate fake clicks over ads.

3ve's Fraud Operations

Named 3ve has been given to this operation because of its operations which are classified into three types.
  • The BOAXXE Malware Scheme
  • The KOVTER Malware Scheme
  • Data Centers IPs as Proxies
1. The BOAXXE Malware Scheme 
The Boaxxe botnet, also known as Miuref and Methbot, BGP hijacking to obtain IP addresses for proxying the traffic from the machines in the data centres and visit both fake and real web pages.

Initially, the fraudulent ad requests appeared to originate from desktop browsers but later the scheme started more and more to spoof mobile traffic from Android.

According to the report - Between September 2014 and December 2016, this scheme used 1,900 computer servers hosted in commercial data centres to load ads from advertisers on over 5,000 counterfeit websites, generating millions of dollars in profit for its operators.

2. The KOVTER Malware Scheme 
This is the second approach that sold fake ad space on a counterfeit domain. This use Kovter botnet to deliver a custom browsing agent (Chromium Embedded Framework) that didn't rely on proxies as redirection servers pointed compromised systems to specific web pages.

3. Data Centers IPs as Proxies
 This is the third strategy of 3ve, activity running from data centres. It masked the real IP addresses of the bots by running the traffic through bots in other data centres. Although data centres are far more suspicious to advertisers, then also operators find new data centres as soon as the old data centres were flagged.

Eight Men Charged for 3ve Ad-fraud

As multiple entities work together along with law enforcement to take-down this multimillion ad-fraud operations Apart from Google and WhiteOps, other tech firms like Microsoft, ESET, Symantec, Trend Micro, F-Secure, Malwarebytes, The Shadowserver Foundation, CenturyLink, MediaMath etc, supports was also there.

The Department of Justice today unsealed a 13-count indictment against eight individuals involved in the 3ve scheme. This included five Russian nationals, one person from Russia and Ukraine, and two people from Kazakhstan.
  • Aleksandr Zhukov
  • Boris Timokhin
  • Mikhail Andreev
  • Denis Avdeev
  • Dmitry Novikov
  • Sergey Ovsyannikov
  • Aleksandr Isaev
  • Yevgeniy Timchenko
All these Eight defendants have been charged with wire fraud, computer intrusion, aggravated identity theft, and money laundering.
With ❤️ Cyber Kendra