In a coordinated effort, the FBI, Department of Homeland Security, Google, and other private security companies disrupted a major ad-fraud network that the government says was responsible for tens of millions of dollars in losses.

The network, known as 3ve, controlled more than a million compromised IP addresses and generated revenue for its operators through a web of fake websites and fraudulent traffic that the operators represented as real to advertisers. As part of the takedown, the Department of Justice unsealed indictments against eight people it alleges were running the 3ve network, three of whom have been arrested abroad and are awaiting extradition.

“As alleged, these individuals built complex, fraudulent digital advertising infrastructure for the express purpose of misleading and defrauding companies who believed they were acting in good faith, and costing them millions of dollars. This kind of exploitation undermines confidence in the system, on the part of both companies and their customers,” said FBI Assistant Director-in-Charge Sweeney.

The investigation into the 3ve network began last year when researchers at Google identified a significant amount of weird traffic and began tracking it, with the help of WhiteOps, a security firm that specializes in bot detection and blocking. The 3ve network started small but grew over the course of 2017 and 2018 into a huge botnet that controlled a massive number of IP addresses in home and corporate networks. The network’s operators used this power to submitted a huge number of automated ad bids each day in an effort to get legitimate ads on their bogus sites.

“Through our investigation, we discovered that 3ve was comprised of three unique sub-operations that evolved rapidly, using sophisticated tactics aimed at exploiting data centers, computers infected with malware, spoofed fraudulent domains, and fake websites. Through its varied and complex machinery, 3ve generated billions of fraudulent ad bid requests (i.e., ad spaces on web pages that advertisers can bid to purchase in an automated way), and it also created thousands of spoofed fraudulent domains,”  Per Bjorke, product manager for ad traffic quality at Google said.

“It should be noted that our analysis of ad bid requests indicated growth in activity, but not necessarily growth in transactions that would result in charges to advertisers. It’s also worth noting that 3+ billion daily ad bid requests made 3ve an extremely large ad fraud operation, but its bid request volume was only a small percentage of overall bid request volume across the industry.”

At its peak, 3ve had more than 700,000 active, compromised machines in its network and more than 60,000 accounts selling garbage ad inventory. The 3ve botnet used several different strains of malware as part of its operations, including Boaxxe and Kovter, both of which spread through spam message with infected attachments, or drive-by downloads. Both pieces of malware are used to send traffic to sites controlled by the botnet operators.
In addition to the indictments, the government sinkholed the 3ve network’s command and control infrastructure, with the help of a number of security companies and groups. The botnet investigation and takedown was a complicated process, and people involved said the 3ve operation was among the more sophisticated ad-fraud networks to emerge recently.

“3ve was remarkably sophisticated,” said Tamer Hassan, CTO of White Ops. “It showed every indication of a well-organized engineering operation with best practices in software development. It exhibited reliability, resilience and scale, rivaling many state-of-the-art software architectures. To unravel the internal mechanics of such a fraud operation requires a multi-layered approach of real-time detection and prevention.”