Feds take down international hacker ring that cost advertisers millions
What you should know about the dismantling of the 3ve and Methbot botnets.
This week, a federal court indicted eight individuals for their roles in widespread digital advertising fraud, with charges ranging from wire fraud and computer intrusion to aggravated identity theft and money laundering.
The news is the latest chapter in a multi-year investigation of ad fraud botnets initiated by ad fraud security firm WhiteOps in 2016. Botnets are complex networks of computers, IP addresses and automation that mimic human behavior on websites to siphon ad dollars from unsuspecting advertisers led to believe their ads are getting served to real people.
3ve and Methbot botnets. WhiteOps worked with Google and an alliance of nearly 20 companies representing the interests of ad tech, security, and internet infrastructure to investigate the fraudulent activity. According to WhiteOps, the botnet 3ve (pronounced “eve”) infected a minimum of 1.7 million computers at any given time, counterfeited more than 10,000 websites and generated between 3 to 12 billion requests per day to sell fake online advertising.
The indictment is against three so-called ‘bot kingpins’ of the infamous botnets known as Methbot and 3ve, as well as other parties that were involved. Per Bjorke, product manager of ad traffic quality at Google, said in a blog post that the FBI coordinated a takedown of the 3ve’s infrastructure, making it hard to rebuild.
Richard P. Donoghue, United States Attorney for the Eastern District of New York, said in a statement: “This case sends a powerful message that this Office, together with our law enforcement partners, will use all our available resources to target and dismantle these costly schemes and bring their perpetrators to justice, wherever they are.”
“Remarkably sophisticated.” Because of the breadth and complexity of botnet systems, they are incredibly difficult to take down. Google says that “at its peak, [3ve] controlled over 1 million IPs from both residential malware infections and corporate IP spaces primarily in North America and Europe.”
It gets even more complicated. In the course of the investigation of 3ve, the group found a sophisticated operation that generated billions of fraudulent ad bid requests and it created thousands of spoofed fraudulent domains.
“3ve was remarkably sophisticated,” said Tamer Hassan, CTO of WhiteOps. “It showed every indication of a well-organized engineering operation with best practices in software development. It exhibited reliability, resilience and scale, rivaling many state-of-the-art software architectures.”
Why you should care. These massive fraud operations hurt advertisers and undermine the digital advertising ecosystem as a whole. Google said the detected growth in ad bid requests didn’t necessarily mean there was a growth in transactions that resulted in charges to advertisers and that the “bid request volume was only a small percentage of overall bid request volume across the industry,” but the FBI said it cost advertisers millions of dollars and undermined confidence in the process.
FBI Assistant Director-in-Charge William Sweeney said, “[T]hese individuals built complex, fraudulent digital advertising infrastructure for the express purpose of misleading and defrauding companies who believed they were acting in good faith, costing them millions of dollars. This kind of exploitation undermines confidence in the system, on the part of both companies and their customers.”
Google’s Bjorke said, “3ve’s focus, like many ad fraud schemes, was not a single player or system, but rather the whole advertising ecosystem … While ad fraud traditionally has been seen as a faceless crime in which bad actors don’t face much risk of being identified or consequences for their actions, 3ve’s takedown demonstrates that there are risks and consequences to committing ad fraud.”
What can advertisers do? Mike Bittner, digital security and operations manager of non-profit media advocate The Media Trust touts collaboration and awareness as keys to fighting these types of attacks.
“3ve underscores the importance of knowing who you do business with along the digital ad supply chain and of collaborating with them on identifying the underlying malicious code, which wreaks havoc on unknowing users and undermines the supply chain,” Bittner said.
Combating ad fraud has become a priority for the industry. Several solutions and initiatives have emerged including seller certification and authentication efforts such as ads.txt and the Trustworthy Accountability Group (TAG). Buying via programmatic direct channels versus open exchanges is also growing rapidly because it gives sellers a clearer connection to sellers.