A federal court recently unsealed indictments against eight individuals, mostly from Russia, accused of running online ad fraud schemes.
In collaboration with a team of security companies and other tech industry partners including Google, the FBI has taken down a significant cyber-criminal network responsible for a global ad fraud campaign that stole substantial ad spend from unsuspecting businesses.
The cyber criminal rings were responsible for running 3ve (pronounced “eveâ€) and Methbot, online advertising scams that used click fraud to con companies into thinking they had paid to place ads on websites – in reality the fraudulent networks were routing fake internet traffic to advertisers.
The attackers made use of malware and botnets to create a network of billions of fake webpages and users, tricking ad networks and advertisers into believing they were paying for real ad views and clicks.
In other words, victims have paid some $38 million since 2014 for ads that no real human ever saw.
By the time it was broken, the illegal operations had built a powerful system of up to 700,000 infected consumer devices and more than 1 million IP addresses.
In addition to seizing key infrastructure used by the perpetrators, the investigation has also led to a 13-count indictment by the Justice Department against eight suspects, three of whom have already been arrested and are scheduled for extradition to the US.
How it worked – Methbot
The fraudsters operated two similar but separate scams.
They started with Methbot, which raked in $7 million in illegal revenue from September 2014 to December 2016.
Methbot was made up of more than 1,900 systems rented in data centers. These devices uploaded ads on over 5,000 fake domains.
The cyber criminals then programmed the servers to imitate real internet users in order to spoof fake ad views and clickthrough rates on their fraudulent domains.
From there, the operation was quite simple: the cyber criminals sold ad space on these counterfeit sites to ad networks, while the rented server farms made it seem like actual people were visiting these webpages and seeing the ads.
At its peak, Methbot was pulling in somewhere between $3 million and $5 million in illicit ad revenue per day, according to security firm White OpsOpens a new window , which first uncovered the scheme.
How it worked – 3ve
3ve was a massive and complex botnet.
A whitepaper produced by Google and White OpsOpens a new window states that “3ve first emerged as a small bot-driven effort that subsequently grew into a large and sophisticated operation.â€
In simple terms, a malicious (illegal) botnet is a network of private computers and IP addresses infected with hostile software. These devices are controlled as a single system without the owners’ knowledge to, for example, send spam – or in this case imitate human behavior on websites.
3ve apparently affected at least 1.7 million computers, ran more than 1,000 data center servers, managed over 60,000 accounts dedicated to selling fraudulent ad inventories, falsified more than 10,000 websites solely dedicated to showing the pointless ads, and produced three to 12 billion daily ad bid requests of fake online advertising.
All of this ultimately led to billions of simulated ad views that fleeced victims of a cumulative $29 million.
The scam specialized in generating lookalikes of legitimate websites to house advertisements. Similar to the way Methbot used server farms, 3ve employed the devices it had infected to create a flow of seemingly real traffic to those sites.
The botnet would then request ads be placed on the sham pages, and the fake visitors would produce clickthrough ad revenue for the cyber criminals.
Why you should care about ad fraud botnets
These types of ad fraud schemes are a growing issue.
In fact, in the same week that the Justice Department announced the indictment related to Methbot and 3ve, the story broke that Chinese developer Cheetah Mobile had been accusedOpens a new window of developing mobile apps that deliberately make use of ad fraud techniques.
Why does this growing threat matter?
For starters, these malicious systems compromise trust across the entire digital advertising landscape. As FBI Assistant Director-in-Charge William Sweeney put it, “this kind of exploitation undermines confidence in the system, on the part of both companies and their customers.â€
Meanwhile, the nature of the malicious code used to infect devices and redirect traffic is also a serious concern.
This new type of advanced malware only executes under the right conditions, which makes it more effective at avoiding detection as well as leaving infected computers vulnerable to later attacks.
How can you protect your advertising operations?
This new generation of malware highlights the importance of advertisers knowing who they are dealing with and buying from in the digital ad supply chain.
Relevant stakeholders must work together to monitor code closely that goes through their digital platforms in order to pinpoint potential threats – which implies consistent, real-time scanning.
Fortunately, new tools, technologies and solutions are helping in the war against ad fraud. Symantec and Norton solutions, for instance, can help safeguard against such threats. Norton even offers a free program called Norton Power EraserOpens a new window , which helps remove any infections.
Seller certification and authentication initiatives also exist designed to help identify reputable ad sellers. Look into ads.txtOpens a new window and the Trustworthy Accountability GroupOpens a new window (TAG) – one study from The 614 Group found that fraud rates of advertising inventory on TAG-certified channels were 83% lower.
Don’t wait to act until you discover you’ve wasted your ad budget on fake ads. You can start easy: Stop buying via open exchanges. Instead, use programmatic direct channels as they provide a more tangible tie between buyers and sellers.