The US DoJ sentenced the Russian nation Aleksandr Zhukov, aka the ‘King of Fraud,’ for operating a large-scale digital advertising fraud scheme called Methbot (‘3ve‘) that stole at least $7 million from US organizations.
DoJ sentenced Zhukov to 10 years of jail in the U.S. and ordered to forfeit $3,827,493.
“Earlier today, at the federal courthouse in Brooklyn, Aleksandr Zhukov was sentenced by United States District Judge Eric R. Komitee to 10 years’ imprisonment for perpetrating a digital advertising fraud scheme through which the defendant and his co-conspirators stole more than $7 million from U.S. advertisers, publishers, platforms, and others in the U.S. digital advertising industry.” reads the press release published by DoJ. “The Court also ordered Zhukov to pay $3,827,493 in forfeiture.”
In November 2018, a joint operation conducted by law enforcement and private firms such as Google and WhiteOps took down 3ve that was considered one of the largest and most sophisticated digital ad-fraud campaigns that infected over 1.7 million computers to carry out advertising frauds.
The name 3ve is derived from a set of three distinct sub-operations using unique measures to avoid detection, and each of them was built around different architectures with different components.
3ve has been active since at least 2014 and experts observed a peak in its activity in 2017.
Zhukov, aka Nastra, was arrested in Bulgaria, where he had lived since 2010, in November 2018 and was extradited to the US on January 18.
Zhukov was convicted following a jury trial in May 2021 of wire fraud conspiracy, wire fraud, money laundering conspiracy, and money laundering.
At this time, he will have to spend another seven years in prison.
“Sitting at his computer keyboard in Bulgaria and Russia, Zhukov boldly devised and carried out an elaborate multi-million-dollar fraud against the digital advertising industry, and victimized thousands of companies across the United States,” stated United States Attorney Peace. “Today’s sentence holds the defendant accountable for his deception and outright theft of more than $7 million, and sends a powerful message to cyber criminals around the world that there is no escape from the international reach of law enforcement.”
Operators used a broad range of technique to monetize their efforts, they created fake versions of both websites and used their own botnet to simulate visitors’ activities, then offered ad spaces to advertisers, and Border Gateway Protocol hijacking for traffic redirection. Crooks also used malicious code to generate fake clicks over online ads and earn money.
“Zhukov and his co-conspirators programmed the bots to load real ads on blank webpages while falsely representing that the ads were loading on real webpages, “spoofing” the domains of more than 6,000 publishers, including The New York Times, the New York Post, the New York Daily News, Newsday, and the Staten Island Advance.” continues DoJ. “To create the illusion that human internet users were viewing the advertisements loaded onto these spoofed webpages, Zhukov and his co-conspirators programmed the bots to appear and behave like human internet users.”
“3ve operated on a massive scale: at its peak, it controlled over 1 million IPs from both residential botnet infections and corporate IP spaces, primarily in North America and Europe (for comparison, this is more than the number of broadband subscriptions in Ireland). It featured several unique sub-operations, each of which constituted a sophisticated ad fraud scheme in its own right.” read the report published by WhiteOps.
“Tech-savvy fraudsters try to produce fake traffic and fraudulent ad inventory to trick advertisers into believing that their ads are being seen by actual, interested users,”
The size of the infrastructure involved in the 3ve ad-fraud campaign is very huge, according to the experts fraudsters infected 1.7 million computers with malware, attackers used thousands of servers and more than 10,000 counterfeit websites to impersonate legitimate web publishers.
The experts discovered that crooks used over 60,000 accounts selling ad inventory generating a record of 3 to 12 billion of daily ad bid requests.
“All told, 3ve controlled over 1 million IPs from both residential botnet infections and corporate IP spaces (as noted above, there were up to 700,000 active infections at any given time).” continues the report.
“In aggregate, the operation also produced more than 10,000 counterfeit domains, and generated over 3 billion daily bid requests at its peak. We estimate that portions of the bot operation spanned over 1,000 servers in data centers allocated to various functions needed for this type of large-scale operation”
Experts observed three 3ve operations during their investigation:
So-called 3ve.1 sub-operation leveraged a the Boaxxe botnet, aka Miuref and Methbot, composed of infected systems in data centers across the US and Europe.Attackers also carried out BGP hijacking to obtain IP addresses used for traffic proxying from the compromised bots the data centers. The infected systems were used to visit both fake and real web pages.
“All the fake ad requests from 3ve.1 initially pretended to be from desktop browsers, but this changed over time, with the operation increasingly relying on spoofed mobile traffic. This was done by the data center-based browsers pretending to be Android devices.” continues the report.
“There were two unique, active mobile misrepresentation schemes: in one the ad requests were spoofed to look like they came from mobile apps, in the other the ad requests were spoofed to look like they came from mobile browsers. The spoofing was achieved by overriding the parameters typically used to determine what type of device the traffic came from”According to the investigators, between September 2014 and December 2016, the scheme involved over 1,900 servers hosted in commercial data centers to load ads from advertisers on over 5,000 counterfeit websites. With this scheme, fraudsters generated millions of dollars in profit for its operators.
In this second scheme, attackers used counterfeit domains to sell fake ad inventory to advertisers. Attaclers used a hidden, custom-built browsing agent (Chromium Embedded Framework) on more than 700,000 computers that were compromised with the Kovter malware.Fraudsters used redirection servers that instructed the infected computers to visit fake web pages operated by the gang.
In the third sub-operation bots were installed in data centers and used the IP addresses of other data centers as proxies.
The 3ve campaign was first spotted in 2016 by ESET that tracked the botnet as Boaxxe botnet.
Security firms helped the FBI to shut down the massive ad-fraud operation. Law enforcement obtained warrants that allowed them to seize 31 internet domains and 89 servers of the 3ve infrastructure.
(SecurityAffairs – hacking, Operation Cyclone)