November 28, 2018 |

Multiple botnets disrupted as part of anti-fraud operation

Ad fraud ring used botnets to generate nearly 30 million dollars in fraudulent ad revenue

Helsinki, Finland – November 28, 2018: The internet scored a win after an FBI-led takedown disrupted a massive, multiyear scam that saw cyber criminals use botnets to manipulate internet traffic from 1.7 million IP addresses and generate nearly 30 million dollars in fraudulent ad revenue. F-Secure supported the takedown operation by providing threat intelligence on the scam’s malware campaigns and botnets.

The ad fraud ring, dubbed “3ve” in an advisory published by US-CERT,* built two different botnets by spreading Kovter and Boaxxe malware to individuals through spam emails and drive-by downloads. 3ve used these botnets to manipulate internet traffic and direct it to ads they ran under the pretense that the traffic was from real visitors. Estimates suggest 3ve’s botnets allowed them to manipulate internet traffic from as many as 1.7 million IPs at once.

The takedown, described yesterday in a news release from the US Department of Justice,** saw the FBI search 89 servers and sinkhole 31 domains to disrupt the botnets, and seize bank accounts connected with the group. The operation led to multiple charges being laid against eight individuals.

F-Secure played a supporting role in the FBI-led effort by exposing parts of 3ve’s botnets and malware campaigns for the authorities.

“3ve blasts out failed delivery notification spam, which is a common attack vector these days. Users open an attachment or click a link and end up infected with Kovter, Boaxxe or even both,” said F-Secure Researcher Paivi Tynninen. “3ve also uses malvertising that redirects users to fake software updates and tricks victims into installing Kovter, which is a fairly popular social engineering tactic.”

3ve used the Boaxxe botnet as a proxy for fraudulent ad requests sent from their own data center in Germany. The Kovter botnet was a network of infected PCs that ran a hidden browser from users, which 3ve used to discreetly direct traffic toward their ads.

Fabricating internet traffic with the these botnets helped 3ve convince buyers their ads were being viewed by countless numbers of people. It’s a type of fraud that many don’t realize is happening, but it’s actually a fairly prevalent type of cyber crime. A 2016 report from the World Federation of Advertisers projected that ad fraud revenues could balloon to anywhere between 50 to 150 billion dollars per year by 2025.***

“Ad fraud might not feel like a very pressing issue. But it costs a lot of businesses a lot of money, and those costs eventually get fed back to consumers,” said F-Secure Security Advisor Sean Sullivan. “That makes these kinds of takedown operations beneficial to not just companies or advertisers, but pretty much everyone.”

While the takedown successfully disrupted 3ve’s operations, the persistent nature of today’s botnets makes it difficult to say for certain whether or not 3ve is gone for good. And Sullivan says that even though many organizations contributed to the operation, they need help from individual PC users to ensure 3ve can’t bounce back.

“Most modern botnets have pretty sophisticated backends that are extremely resistant to takedown attempts. Infected PCs can be used to begin rebuilding, so it’s really important that individuals check their PCs and remove the malware if they discover an infection,” said Sullivan.

*Source: https://www.us-cert.gov/ncas/alerts/TA18-331A

**Source: https://www.justice.gov/usao-edny/pr/two-international-cybercriminal-rings-dismantled-and-eight-defendants-indicted-causing

***Source: https://www.wfanet.org/app/uploads/2017/04/WFA_Compendium_Of_Ad_Fraud_Knowledge.pdf

More information

F-Secure Blog: Authorities warn of 3ve ad fraud operation

About F-Secure

Nobody knows cyber security like F-Secure. For three decades, F-Secure has driven innovations in cyber security, defending tens of thousands of companies and millions of people. With unsurpassed experience in endpoint protection as well as detection and response, F-Secure shields enterprises and consumers against everything from advanced cyber attacks and data breaches to widespread ransomware infections. F-Secure’s sophisticated technology combines the power of machine learning with the human expertise of its world-renowned security labs for a singular approach called Live Security. F-Secure’s security experts have participated in more European cyber crime scene investigations than any other company in the market, and its products are sold all over the world by over 200 broadband and mobile operators and thousands of resellers.

Founded in 1988, F-Secure is listed on the NASDAQ OMX Helsinki Ltd.

f-secure.com twitter.com/fsecureukteam | facebook.com/f-secure

Latest Press Releases

December 11, 2018

Online shoppers more vulnerable to spam as the holidays inch closer

Research from F-Secure warns holiday shoppers of malicious emails disguised as delivery notifications

November 28, 2018

Multiple botnets disrupted as part of anti-fraud operation

Ad fraud ring used botnets to generate nearly 30 million dollars in fraudulent ad revenue

November 20, 2018

F-Secure boosts endpoint detection and response with unique on-demand elevate to experts

F-Secure Rapid Detection & Response backs up companies fighting intruders and helps overstretched cyber security personnel stop breaches automatically before they happen in one easy to use solution.

November 6, 2018

Popular cyber security MOOC begins third year

F-Secure and the University of Helsinki’s Cyber Security MOOC aims to help future cyber security professionals realize their potential

%d bloggers like this: