Posted on November 28, 2018 at 4:55 PM
According to yesterday’s announcement coming from the US Justice Department and Google itself, a massive cybercriminal operation was finally taken offline. The operation infected over 1.7 million computers, forcing them to generate clicks on internet advertisement. This is a common type of fraud called ‘click fraud’, although it is usually done on a much larger scale. This particular operation ended up making tens of millions of dollars for those behind it.
Details of the click fraud
The name of this operation is “3ve” (Eve), and it involves an attack targeting Windows-based devices. Devices that get taken over are then modified in secret, for the purpose of visiting certain websites, and automatically clicking on the online advertisement.
The operation itself was large enough that the total number of clicks on targeted ads was between 3 billion and 12 billion per day. To achieve this, hackers employed a special malware strain named Kovter, which was spread via malicious email attachments and infected websites.
Kovter usually tricks the victim into downloading fake updates for Flash, Firefox, or Chrome, and once it infects a computer, it runs a hidden browser in the background. Researchers estimated that around 700,000 computers that run Windows system are infected by this malware at any given time.
In addition to using Kovter, researchers stated that 3ve operators also used another malware strain, named Boaxxe. This malware has the ability to controls computers in data centers remotely. Infected devices pretend to be desktops, but over time, they ended up masquerading as Android-based devices.
Most of the affected computers are based in North America and Europe, and they include corporate and home devices alike. This information was provided by both, Google, as well as a security company White Ops. Both companies also announced that 3ve is one of the biggest ad fraud schemes that were ever discovered.
Hackers even went a step further in order to generate more revenue, and have created thousands of fake websites, resembling popular domains. These fake web pages would then be downloaded on infected devices, and the click fraud would start. Advertisers wrongfully believed that their ads are being displayed on top websites, and the Justice Department claims that over $29 million was paid for ads that were never served to human consumers at all.
Additional details regarding 3ve operation
According to some estimates, the 3ve operation was originally launched back in December 2015, and it remained undiscovered until recently. In order to successfully put a stop to it, the US authorities had to seize numerous domain names, as well as servers that hackers were using to control infected computers.
So far, federal investigators have shared that they suspect three individuals of running the entire operation. Two of them — Yevgeniy Timchenko and Sergey Ovsyannikov — were arrested in Estonia and Malaysia. The third suspect, Aleksandr Isaev, has yet to be located.
It is not yet clear how these particular suspects were identified in the first place. However, it is known that multiple cybersecurity companies assisted investigators, including Trend Micro, ESET, and Malwarebytes.
Another interesting detail is that the Justice Department unsealed indictments against additional five suspects in a separate case of a click fraud scheme. This other operation was named Methbot, and it involved renting out servers in a Texas-based data center. This fraud ended up forcing numerous businesses to pay over $7 million for ads that were also never actually displayed to human users.
Those suspecting that their computers might be affected by either of the two malware strains should run one of the free antivirus tools as soon as possible. Further information can be found here.