3ve Offline: Countless Windows PCs using 1.7m IP addresses hacked to 'view' up to 12 billion adverts a day

A collection of cybersecurity companies, Google, and the Feds are sharing details on how they uncovered and dismantled a massive ad-fraud operation known as "3ve" (pronounced "Eve".)

Google says that at its peak, the 3ve scam employed as many as 1.7 million hijacked devices to generate fake clicks on adverts, and made its operators heavy payouts from duped advertising networks. The 3ve's operators created massive networks of fake websites that would take bids from ad networks, and then send the infected machines to the sites in order to collect ad revenues.

"3ve operated on a massive scale: at its peak, it controlled over one million IPs from both residential botnet infections and corporate IP spaces, primarily in North America and Europe (for comparison, this is more than the number of broadband subscriptions in Ireland)," Google said in its summary of the operation this week.

"It featured several unique sub-operations, each of which constituted a sophisticated ad fraud scheme in its own right. Shortly after we began to identify the massive infrastructure (comprised of thousands of servers across many data centers) used to host 3ve’s operation, we found similar activity happening within a network of malware-infected residential computers."

Google says that the 3ve network actually started as a small botnet operation, which was first detected back in 2016. Over the next year the scam would grow far larger and its operators began using a number of complex evasion techniques to avoid detection by click-fraud systems. The operators used a pair of malware packages – Windows-targeting Boaxxe and Kovter – to infect victims' PCs.

Boaxxe, aka Miuref, and Kovter were spread by booby-trapped email attachments and drive-by-downloads, effectively tricking people into installing them. BGP hijacking was also used in the caper to ultimately control, in just one 10-day sample, 1.7 million IP addresses, which were used to fire off what looked like legit ad requests and clicks.

The above link goes to more technical details, including signs of infection to look out for.

Primarily, we note, the fraudsters used malicious adverts booked on PornHub to redirect netizens to booby-trapped webpages that disguised malware as legit browser and Adobe Flash updates, as previously reported.

Assembling the A Team

In 2017 Google said it called in additional help from antimalware vendors. ProofPoint and Malwarebytes were brought in to help identify the malware 3ve was using to enlist new commandeered Windows PCs into its ranks. The malware would only install on systems that weren't running security software and would only execute the ad-fraud activity if its IP address was located in a certain area with a specific ISP.

This allowed the network to evade detection and grow to a massive scale, at its peak viewing and clicking on anywhere from three to 12 billion ads per day.

"3ve’s sheer size and complexity posed a significant risk not just to individual advertisers and publishers, but to the entire advertising ecosystem," Google said.

"We had to shut the operation down for good, which called for greater, more calculated measures. To that end, it was critical that we played the long game, endeavoring to have a more permanent, more powerful impact against this and future ad fraud operations."

To shut down the operation, Google said it formed a working group consisting of 16 organizations, including security vendors and law enforcement outfits, including the US Department of Homeland Security and the FBI's Internet Crime Complaint Center.

The takedown of the network, says Google, was swift and severe. After spending several months observing the operators, the group launching a sweeping shutdown operation that caused the network's traffic to nearly flatline over the span of 18 hours (Google wouldn't say exactly when this happened.)

Now, the Chocolate Factory says it wants to create and maintain both standards for security vendors and ad networks to guard against fraud operations and educate both advertisers and publishers about fraud.

Meanwhile, the DHS and FBI are advising anyone who thinks their systems might be infected with 3ve's malware to report the matter to the FBI's IC3 website. ®