A massive team of security companies and federal agencies worked together to shut down an enormous click fraud operation. Although 3ve, pronounced Eve, started as a small botnet, by the time it was sinkholed, it was using 1.7 million infected computers to falsify billions of ad views, which resulted in businesses paying over $29 million for ads that no real human internet users ever saw.
The Department of Justice unsealed the indictments. Eight men from Russia, Ukraine and Kazakhstan have been charged with 13 counts including money laundering, wire fraud, computer intrusion and aggravated identity theft.
Three of the eight have been arrested over the last two months and will be extradited to the US, while the others remain at large.
“This case sends a powerful message that this office, together with our law enforcement partners, will use all our available resources to target and dismantle these costly schemes and bring their perpetrators to justice, wherever they are,” stated United States Attorney Richard Donoghue.
A Google-released whitepaper (pdf) revealed that “3ve generated between 3 billion and 12 billion or more daily ad bid requests at its peak.” When announcing the unsealing of a 13-count indictment against eight defendants, the Department of Justice said the FBI took control of 31 domains and took information from 89 servers that were part of the botnet infrastructure engaged in digital advertising fraud activity.
White Ops described 3ve as “one of the most sophisticated ad fraud operations to date”. 3ve infected at minimum 1.7 million computers at any given time, counterfeited more than 10,000 websites, and generated between three to 12 billion requests per day to sell fake online advertising.
US-CERT published a technical alert about the malware associated with 3ve, Boaxxe/Miuref — dubbed Methbot in the WhiteOps paper — and Kovter malware, as well as potential solutions proposed by the FBI and Department of Homeland Security (DHS). If you believe you were a victim of the malware or hijacked IPs, you are urged to submit a complaint to www.ic3.gov using the hashtag of #3ve in your complaint.
“Today, we have helped the industry create real consequences for actors behind mass exploitation,” said White Ops CEO Sandeep Swadia
“Fraud operations like 3ve bring distrust and instability to the Internet by compromising everyday people’s computers, stealing from businesses, and robbing content publishers. The dismantling of 3ve, along with law enforcement’s actions to hold the individuals accountable, is an important milestone for the digital advertising ecosystem and for billions of humans who rely on a safe and open internet.”