Skip to content
Naked Security Naked Security

Busted! DOJ exposes huge ad-fraud operation, eight charged

The US Department of Justice has charged eight men with running a vast ad-fraud scheme.

The US Department of Justice has charged eight men from Russia and Kazakhstan with running a vast ad-fraud scheme that milked a total of $36 million from advertisers.
Three of the accused – Aleksandr Zhukov, Sergey Ovsyannikov and Yevgeniy Timchenko – have been arrested in different countries pending extradition to the US, with Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, and Aleksandr Isaev still at large, an announcement said.
The fraud centred on two systems that resembled expertly crafted digital money trees.


The first, which ran between September 2014 and December 2016, dubbed ‘Methbot’ by discoverers White Ops in 2016, was a 1,900-strong farm of datacentre servers rented to host 5,000 bogus websites.
Not only was the traffic to these sites fictitious – the gang went to some lengths to simulate real users visiting these domains from fake geographic locations – but the sites themselves were spoofed versions of real sites including CNN, the New York Times, CBS Sports, and Fox News.
The sites were then added to legitimate ad networks where unsuspecting ad buyers could pay to advertise on them.
It’s been reported that ads were shown on as few as 10% of the visits Methbot’s fake users made to its fake websites (which means most of the Methbot activity was just a computer program talking to itself). Presumably this technique was meant to keep the fraud below the radar of suspicious ad networks.
When ads were shown, advertisers would bid against each other algorithmically to decide which ad was shown on any given visit to the site. Once the bid had been won and an ad displayed, the bot’s browser would click on it and the advertiser would pay the fake Methbot site for successfully generating a click.
To make that interaction appear more human, the system could even stop and restart videos.
Estimated fraud: at least $7 million.

3ve (‘Eve’)

The second part of the operation, dubbed 3ve, was a more conventional but hugely profitable clickfraud botnet comprising 1.7 million computers infected with the Kovter malware that ran between December 2015 and October this year.
3ve’s purpose was simply to quietly generate as much entirely fake traffic as possible to adverts that would earn the gang money, an ambition it succeeded in fulfilling and then some.
Estimated fraud: another $29 million
In total, that’s $36 million siphoned from networks for ads and videos nobody watched on sites that never existed.

Does ad-fraud matter?

If this sounds like a victimless crime, that’s simply because the ad networks paying out all this money have not been named. Ultimately, the money stolen came from a company buying ad space, whose costs are eventually passed on to consumers.
Around a month ago, the FBI, assisted by Google and the group’s nemesis White Ops, worked together on one of the US authorities’ periodic botnet takedowns.
Swiss bank accounts were seized, domains and servers went dark, which sounds rather easy until you read that just to kill 89 servers, officials had to visit 11 different US hosting providers in a short space of time.
What this does for the image of internet advertising is an open question, but it’s clear that the sums involved are drawing in fraudsters by the thousand.
A 2016 estimate by the World Federation of Advertisers warned that if left unchecked the problem could grow into a $50 billion black hole by 2025.
That’s a lot of money to fuel more advanced malware, ambitious criminal gangs, as well as inevitable counter-measures such as browser adblocking to shield eyeballs from advertising.
Frighteningly, it also dwarfs the sums stolen by Methbot and 3ve, which raises an obvious question: are there even bigger, badder ad-fraud networks still out there?


Assuming all this is mostly about Google and if 3ve (‘Eve’) is Adsense fraud, then it is just a two way scam between Google and the scammers, But with Methbot, I would say that Google is obliged to repay advertisers for money the advertisers spent on the fake display network. After all, Google approved the publishers. That’s what I would argue and I wonder whether any advertisers have argued that, or indeed whether they have been reimbursed?
Love the name ‘White Ops’


“It’s been reported that ads were shown on as few as 10% of the visits Methbot’s fake users made to its fake websites (which means most of the Methbot activity was just.)”
How does fake traffic to fake websites become “just” simply because it didn’t include fake ads? This was all a pack of lies, with fake traffic to fake sites used to create a fraudulent reputation. No “justice” in that. And the 90% rate of ad-free fake traffic was used to create a veneer of believability. No “justice” in that.
Surely all the traffic was “unjust”, with 10% of it used directly to generate revenue.


That was my mistake in editing – I chopped a bit out with a view to adding something else… and then didn’t add it, so you were left with a hanging “just”. I’ve now added the rest of the sentence – “…just a computer program talking to itself”.


Hohoho, that’s funny. If the word had been “only” or “simply” it would have been obvious something was missing but “just” just wasn’t unambiguous.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!