Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security //

Botnet

11/28/2018
08:15 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

Feds Charge 8 in Large-Scale Ad Fraud & Botnet Scheme

The Justice Department has charged eight people with operating a large-scale ad fraud scheme that involved a pair of botnets based on malware dubbed Kovter and Boaxxe.

The US Justice Department has charged eight people in a massive ad fraud scheme that netted the group millions of dollars and used sophisticated botnets based on two different kinds of malware dubbed Kovter and Boaxxe.

The 13-count indictment was announced by the US Attorney's Office for the Eastern District of New York and unsealed on November 27. Of the eight people named in the document, three are in custody and are awaiting extradition to the US.

Together, this group, which is also known as "3ve," operated two different ad network schemes that defrauded various companies out of approximately $36 million in revenue between September 2014 and October 2018.

The scheme included two different fraudulent ad networks. In both cases, the group convinced companies to place ads with them that would appears on various websites. Instead, fraudulent sites were created and the "people" clicking the ads were only machines programmed to imitate consumer behavior.

"The defendants faked both the users and the webpages: they programmed computers they controlled to load advertisements on fabricated webpages, via an automated program, in order to fraudulently obtain digital advertising revenue," according to Tuesday's indictment.

The first ad network, which prosecutors called "The Datacenter-based Scheme," involved 1,900 different servers rented in Dallas and other locations. These computers helped load legitimate ads on fraudulent websites, which then actually spoofed more than 5,000 different domains.

In addition, these servers were used to imitate real human behavior on the Internet, including "browsing the internet through a fake browser, using a fake mouse to move around and scroll down a webpage, starting and stopping a video player midway, and falsely appearing to be signed into Facebook," according to the indictment.

Finally, the group leased about 650,000 different IP addresses, assigned those addresses to the servers and then registered those addresses to give the appearance of customers belonging to different ISPs.

This part of the scam ran for two years and the group collected about $7 million from the ad clicks it generated, according to the indictment.

The second fraudulent ad network, called "The Botnet-Based Scheme," involved the two botnets based on the malware known as Kovter and Boaxxe. In this case, the bots infected more than 1.7 million PCs in the US and elsewhere.

In both cases, Kovter and Boaxxe are spread through email attachments and drive-by downloads, according to the US Computer Emergency Response Team (US-CERT), which issued its own alert about the fraud on the same day the indictment was unsealed. In both cases, the malware is controlled by a command-and-control server, which sends instructions.

Once the botnets gained control of the PCs, the malware would create a hidden browser that downloaded fabricated webpages and then load ads onto those webpages. Prosecutors suspect that the scheme produced billions of fraudulent ad clicks and netted the group $29 million in false advertising revenue during a three-year period.

Eventually, FBI agents gained warrants to investigate the scheme and redirected traffic from different domains -- known as sinkholing -- in order to shut down the botnets. Authorities also seized 89 different physical servers.

In addition to the US Justice Department, the FBI, New York City Police, authorities noted that Google, Microsoft, Trend Micro and various other tech vendors participated in the case. In a whitepaper about the group, Google and White Ops researchers noted that at its peak, these botnets could produce between 3 billion and 12 billion ad clicks each day.

The eight indicted individuals are: Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev and Yevgeniy Timchenko. The charges against them include wire fraud, computer intrusion, aggravated identity theft and money laundering.

Of the eight, Ovsyannikov was arrested in October in Malaysia; Zhukov was arrested earlier this month in Bulgaria; and Timchenko was arrested a few weeks ago in Estonia. They are all awaiting extradition to face charges in the US. It's not known where the other five are as of now.

In the indictment, the Justice Department believes that Ovsyannikov, Timchenko and Isaev were primarily responsible for the network that used the two botnets. However, Zhukov, Timokhin, Denis Andreev, Mikhail Avdeev and Novikov, along with Ovsyannikov, oversaw the data center scheme.

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-6017
PUBLISHED: 2020-12-03
Valve's Game Networking Sockets prior to version v1.2.0 improperly handles long unreliable segments in function SNP_ReceiveUnreliableSegment() when configured to support plain-text messages, leading to a Heap-Based Buffer Overflow and resulting in a memory corruption and possibly even a remote code ...
CVE-2020-6021
PUBLISHED: 2020-12-03
Check Point Endpoint Security Client for Windows before version E84.20 allows write access to the directory from which the installation repair takes place. Since the MS Installer allows regular users to run the repair, an attacker can initiate the installation repair and place a specially crafted DL...
CVE-2020-6111
PUBLISHED: 2020-12-03
An exploitable denial-of-service vulnerability exists in the IPv4 functionality of Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 16.000, Series B FRN 15.002, Series B FRN 15.000, Series B FRN 14.000, Series B FRN 13.000, Series B FRN 12.000, Series B FRN 11.000 and...
CVE-2020-5680
PUBLISHED: 2020-12-03
Improper input validation vulnerability in EC-CUBE versions from 3.0.5 to 3.0.18 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified vector.
CVE-2020-5638
PUBLISHED: 2020-12-03
Cross-site scripting vulnerability in desknet's NEO (desknet's NEO Small License V5.5 R1.5 and earlier, and desknet's NEO Enterprise License V5.5 R1.5 and earlier) allows remote attackers to inject arbitrary script via unspecified vectors.