3ve

Last updated

3ve was a botnet that operated between about 2013 and 2018.

Contents

History

3ve, pronounced as “Eve”, was a botnet that was halted in late 2018. [1] The botnet was first discovered in 2016 [1] by White Ops, [2] and was active since at least 2013. [3] The discovery led to the start of a 2017 FBI investigation. [4]

The botnet

3ve utilized the malware packages Boaxxe and Kovter to infect a network of PCs. They were spread through emails and fake downloads, and once infected, the bots would generate fake clicks on online advertisements. The clicks would be used on fake websites, which hosted ads and then absorbed the ad revenue from the false impressions. [1] Bots were able to mimic desktop and mobile traffic in order to evade detection, and went through several evolutions of tactics to grow over time. [5]

At its peak, the botnet controlled more than one million residential and corporate IP-addresses, largely within Europe and North America. [1] It is estimated that 1.7 million PCs were infected over time, clicking on more than ten thousand fake websites [5] with more than 250,000 total webpages, [6] taking in ad revenue from about sixty thousand digital advertising accounts placing the false ads. [7] The network issued more than three billion fraudulent daily ad bid requests. [5] About thirty million dollars was stolen over the time the botnet was in use. [8]

Closure

The bot net was shut down through a collaboration of multiple organizations, including White Ops, Google, Department of Homeland Security, and the FBI Internet Crime Complaint Center. [1] Other organizations involved included Adobe, the Trade Desk, Amazon Advertising, Oath, Malwarebytes, ESET, Proofpoint, Symantec, F-Secure, McAfee, and Trend Micro. [7] Following the end of investigation that took down the botnet, the Department of Justice issued thirteen indictments against eight individuals, in a case led by United States Attorney Richard P. Donoghue. [7] Six of the individuals charged were from Russia, and two were from Kazakhstan. [9] Additionally, 31 internet domains and 89 servers were seized by the FBI. [5]

Related Research Articles

<span class="mw-page-title-main">Cybercrime</span> Term for an online crime

Cybercrime is a crime involving a computer or computer network. The computer may have been used in committing the crime, or it may be the target. Cybercrime may harm someone's security or finances.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

Click fraud is a type of fraud that occurs on the Internet in pay-per-click (PPC) online advertising. In this type of advertising, the owners of websites that post the ads are paid based on how many site visitors click on the ads. Fraud occurs when a person, automated script, computer program or an auto clicker imitates a legitimate user of a web browser, clicking on such an ad without having an actual interest in the target of the ad's link in order to increase revenue. Click fraud is the subject of some controversy and increasing litigation due to the advertising networks being a key beneficiary of the fraud.

Pay-per-click (PPC) is an internet advertising model used to drive traffic to websites, in which an advertiser pays a publisher when the ad is clicked.

An Internet bot, web robot, robot or simply bot, is a software application that runs automated tasks (scripts) over the Internet, usually with the intent to imitate human activity on the Internet, such as messaging, on a large scale. An Internet bot plays the client role in a client–server model whereas the server role is usually played by web servers. Internet bots are able to perform tasks, that are simple and repetitive, much faster than a person could ever do. The most extensive use of bots is for web crawling, in which an automated script fetches, analyzes and files information from web servers. More than half of all web traffic is generated by bots.

Clickbot.A is a botnet that is used for click fraud.

Operation: Bot Roast is an operation by the FBI to track down bot herders, crackers, or virus coders who install malicious software on computers through the Internet without the owners' knowledge, which turns the computer into a zombie computer that then sends out spam to other computers from the compromised computer, making a botnet or network of bot infected computers. The operation was launched because the vast scale of botnet resources poses a threat to national security.

On May 9, 2006, Jeanson James Ancheta became the first person to be charged for controlling large numbers of hijacked computers or botnets.

Zeus, ZeuS, or Zbot is a Trojan horse malware package that runs on versions of Microsoft Windows. While it can be used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of technical support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.

Alureon is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

The Mariposa botnet, discovered December 2008, is a botnet mainly involved in cyberscamming and denial-of-service attacks. Before the botnet itself was dismantled on 23 December 2009, it consisted of up to 12 million unique IP addresses or up to 1 million individual zombie computers infected with the "Butterfly Bot", making it one of the largest known botnets.

Malvertising is the use of online advertising to spread malware. It typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. Because advertising content can be inserted into high-profile and reputable websites, malvertising provides malefactors an opportunity to push their attacks to web users who might not otherwise see the ads, due to firewalls, more safety precautions, or the like. Malvertising is "attractive to attackers because they 'can be easily spread across a large number of legitimate websites without directly compromising those websites'."

DNSChanger is a DNS hijacking Trojan. The work of an Estonian company known as Rove Digital, the malware-infected computers by modifying a computer's DNS entries to point toward its own rogue name servers, which then injected its own advertising into Web pages. At its peak, DNSChanger was estimated to have infected over four million computers, bringing in at least US$14 million in profits to its operator from fraudulent advertising revenue.

Defence Intelligence, often referred to as Defintel, is an information security company based in Ottawa, Ontario, Canada. The company characterizes itself as offering services for "advanced compromise protection." Their marketing materials describe their services as being for the detection and prevention of compromised systems on a network, and include their Nemesis Compromise Protection (Nemesis) and Harbinger Compromise Assessment (Harbinger) services.

ZeroAccess is a Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine from a botnet while remaining hidden using rootkit techniques.

<span class="mw-page-title-main">FBI Cyber Division</span> US Federal Bureau of Investigation division

The Cyber Division (CyD) is a Federal Bureau of Investigation division which heads the national effort to investigate and prosecute internet crimes, including "cyber based terrorism, espionage, computer intrusions, and major cyber fraud." This division of the FBI uses the information it gathers during investigation to inform the public of current trends in cyber crime. It focuses around three main priorities: computer intrusion, identity theft, and cyber fraud. It was created in 2002.

<span class="mw-page-title-main">Microsoft Digital Crimes Unit</span>

The Microsoft Digital Crimes Unit (DCU) is a Microsoft sponsored team of international legal and internet security experts employing the latest tools and technologies to stop or interfere with cyber crime and cyber threats. The Microsoft Digital Crimes Unit was assembled in 2008. In 2013, a Cybercrime center for the DCU was opened in Redmond, Washington. There are about 100 members of the DCU stationed just in Redmond, Washington at the original Cybercrime Center. Members of the DCU include lawyers, data scientists, investigators, forensic analysts, and engineers. The DCU has international offices located in major cities such as: Beijing, Berlin, Bogota, Delhi, Dublin, Hong Kong, Sydney, and Washington, D.C. The DCU's main focuses are child protection, copyright infringement and malware crimes. The DCU must work closely with law enforcement to ensure the perpetrators are punished to the full extent of the law. The DCU has taken down many major botnets such as the Citadel, Rustock, and Zeus. Around the world malware has cost users about $113 billion and the DCU's jobs is to shut them down in accordance with the law.

Ad fraud is concerned with the practice of fraudulently representing online advertisement impressions, clicks, conversion or data events in order to generate revenue. Ad-frauds are particularly popular among cybercriminals.

The Chameleon botnet is a botnet that was discovered on February 28, 2013, by the security research firm, spider.io. It involved the infection of more than 120,000 computers and generated, on average, 6 million US dollars per month from advertising traffic. This traffic was generated on infected systems and looked to advertising parties as regular end users which browsed the Web, because of which it was seen as legitimate web traffic. The affected computers were all Windows PCs with the majority being private PCs.

Methbot was an advertising fraud scheme.

References

  1. 1 2 3 4 5 "FBI and Google dismantle multi-million dollar ad fraud scheme". Engadget.
  2. "Charges laid over 3ve, Methbot ad fraud schemes". Computerworld.
  3. Goodin, Dan (21 December 2018). "How 3ve's BGP hijackers eluded the Internet—and made $29M". Ars Technica.
  4. "Eight People Are Facing Charges As A Result Of The FBI's Biggest-Ever Ad Fraud Investigation". BuzzFeed News.
  5. 1 2 3 4 Cimpanu, Catalin. "FBI dismantles gigantic ad fraud scheme operating across over one million IPs". ZDNet.
  6. "FBI swats down massive, botnet-fueled ad fraud operation". SC Media. 28 November 2018.
  7. 1 2 3 Beer, Jeff (28 November 2018). "FBI and Google take down multimillion-dollar ad fraud operation". Fast Company.
  8. "FBI Shuts Down Multimillion Dollar – 3ve – Ad Fraud Operation". The Hacker News.
  9. Shields, Ronan. "White Ops Launched a PSA to Increase Public Awareness About Ad Fraud". www.adweek.com.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.