Botnets disrupted in major anti-fraud operation
An anti-fraud operation led by the FBI has succeeded in disrupting a scam that has seen cybercriminals using botnets to manipulate internet traffic from 1.7 million IP addresses and generate nearly 30 million dollars in fraudulent ad revenue.
The ad fraud ring, known as '3ve' had been operating for a number of years and built two different botnets by spreading Kovter and Boaxxe malware to individuals through spam emails and drive-by downloads.
These have been used to manipulate internet traffic and direct it to ads run by the ring and sold to customers under the pretense that the traffic was from real visitors. Cybersecurity company F-Secure has played a supporting role in the FBI-led effort by exposing parts of 3ve's botnets and malware campaigns for the authorities.
"3ve blasts out failed delivery notification spam, which is a common attack vector these days. Users open an attachment or click a link and end up infected with Kovter, Boaxxe or even both," says F-Secure researcher Paivi Tynninen. "3ve also uses malvertising that redirects users to fake software updates and tricks victims into installing Kovter, which is a fairly popular social engineering tactic."
Fabricating internet traffic with the these botnets helped 3ve convince buyers that their ads were being viewed by countless numbers of people.
"Ad fraud might not feel like a very pressing issue. But it costs a lot of businesses a lot of money, and those costs eventually get fed back to consumers," says F-Secure security advisor Sean Sullivan. "That makes these kinds of takedown operations beneficial to not just companies or advertisers, but pretty much everyone."
While 3ve's operations have been severely disrupted, it's unlikely to have gone for good. Sullivan adds, "Most modern botnets have pretty sophisticated backends that are extremely resistant to takedown attempts. Infected PCs can be used to begin rebuilding, so it's really important that individuals check their PCs and remove the malware if they discover an infection."
You can find out more on the F-Secure blog.