Feds Charge 8 in Large-Scale Ad Fraud & Botnet Scheme

The Justice Department has charged eight people with operating a large-scale ad fraud scheme that involved a pair of botnets based on malware dubbed Kovter and Boaxxe.

Scott Ferguson, Managing Editor, Light Reading

November 28, 2018

4 Min Read

The US Justice Department has charged eight people in a massive ad fraud scheme that netted the group millions of dollars and used sophisticated botnets based on two different kinds of malware dubbed Kovter and Boaxxe.

The 13-count indictment was announced by the US Attorney's Office for the Eastern District of New York and unsealed on November 27. Of the eight people named in the document, three are in custody and are awaiting extradition to the US.

Together, this group, which is also known as "3ve," operated two different ad network schemes that defrauded various companies out of approximately $36 million in revenue between September 2014 and October 2018.

The scheme included two different fraudulent ad networks. In both cases, the group convinced companies to place ads with them that would appears on various websites. Instead, fraudulent sites were created and the "people" clicking the ads were only machines programmed to imitate consumer behavior.

Overview of the 3ve operation\r\n(Source: Google and White Ops)\r\n

Overview of the 3ve operation
\r\n(Source: Google and White Ops)\r\n

"The defendants faked both the users and the webpages: they programmed computers they controlled to load advertisements on fabricated webpages, via an automated program, in order to fraudulently obtain digital advertising revenue," according to Tuesday's indictment.

The first ad network, which prosecutors called "The Datacenter-based Scheme," involved 1,900 different servers rented in Dallas and other locations. These computers helped load legitimate ads on fraudulent websites, which then actually spoofed more than 5,000 different domains.

In addition, these servers were used to imitate real human behavior on the Internet, including "browsing the internet through a fake browser, using a fake mouse to move around and scroll down a webpage, starting and stopping a video player midway, and falsely appearing to be signed into Facebook," according to the indictment.

Finally, the group leased about 650,000 different IP addresses, assigned those addresses to the servers and then registered those addresses to give the appearance of customers belonging to different ISPs.

This part of the scam ran for two years and the group collected about $7 million from the ad clicks it generated, according to the indictment.

The second fraudulent ad network, called "The Botnet-Based Scheme," involved the two botnets based on the malware known as Kovter and Boaxxe. In this case, the bots infected more than 1.7 million PCs in the US and elsewhere.

In both cases, Kovter and Boaxxe are spread through email attachments and drive-by downloads, according to the US Computer Emergency Response Team (US-CERT), which issued its own alert about the fraud on the same day the indictment was unsealed. In both cases, the malware is controlled by a command-and-control server, which sends instructions.

Once the botnets gained control of the PCs, the malware would create a hidden browser that downloaded fabricated webpages and then load ads onto those webpages. Prosecutors suspect that the scheme produced billions of fraudulent ad clicks and netted the group $29 million in false advertising revenue during a three-year period.

Eventually, FBI agents gained warrants to investigate the scheme and redirected traffic from different domains -- known as sinkholing -- in order to shut down the botnets. Authorities also seized 89 different physical servers.

In addition to the US Justice Department, the FBI, New York City Police, authorities noted that Google, Microsoft, Trend Micro and various other tech vendors participated in the case. In a whitepaper about the group, Google and White Ops researchers noted that at its peak, these botnets could produce between 3 billion and 12 billion ad clicks each day.

The eight indicted individuals are: Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev and Yevgeniy Timchenko. The charges against them include wire fraud, computer intrusion, aggravated identity theft and money laundering.

Of the eight, Ovsyannikov was arrested in October in Malaysia; Zhukov was arrested earlier this month in Bulgaria; and Timchenko was arrested a few weeks ago in Estonia. They are all awaiting extradition to face charges in the US. It's not known where the other five are as of now.

In the indictment, the Justice Department believes that Ovsyannikov, Timchenko and Isaev were primarily responsible for the network that used the two botnets. However, Zhukov, Timokhin, Denis Andreev, Mikhail Avdeev and Novikov, along with Ovsyannikov, oversaw the data center scheme.

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Read more about:

Security Now

About the Author

Scott Ferguson

Managing Editor, Light Reading

Prior to joining Enterprise Cloud News, he was director of audience development for InformationWeek, where he oversaw the publications' newsletters, editorial content, email and content marketing initiatives. Before that, he served as editor-in-chief of eWEEK, overseeing both the website and the print edition of the magazine. For more than a decade, Scott has covered the IT enterprise industry with a focus on cloud computing, datacenter technologies, virtualization, IoT and microprocessors, as well as PCs and mobile. Before covering tech, he was a staff writer at the Asbury Park Press and the Herald News, both located in New Jersey. Scott has degrees in journalism and history from William Paterson University, and is based in Greater New York.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights