The scheme, known as "3ve" (pronounced "Eve") was described by the take-down team as a "very complex, ever-shifting maze." What started as a small botnet operation, first discovered in 2016, grew to operate on a huge scale, using malware packages Boaxxe and Kovter to infect PCs. Both were spread by booby-trapped emails and drive-by downloads, hijacking devices that would generate fake clicks on ads and making its operators hefty sums of money from duped advertising networks. The attackers would create massive systems of fake websites that would take bids from the ad companies, and then send the infected machines to the sites, in order to collect ad revenue.
"3ve operated on a massive scale: at its peak, it controlled over one million IPs from both residential botnet infections and corporate IP spaces, primarily in North America and Europe (for comparison, this is more than the number of broadband subscriptions in Ireland)," Google said in its summary of the operation this week.
"It featured several unique sub-operations, each of which constituted a sophisticated ad fraud scheme in its own right. Shortly after we began to identify the massive infrastructure (comprised of thousands of servers across many data centers) used to host 3ve's operation, we found similar activity happening within a network of malware-infected residential computers."
According to Google, 3ve's "sheer size and complexity posed a significant risk not just to individual advertisers and publishers, but to the entire advertising ecosystem." Indeed, the global digital ad industry is worth an estimated $250 billion, but ad fraud is one of the most profitable crimes with the least amount of risk. According to the World Federation of Advertisers, ad fraud is on track to be overtaken only by the illicit drug trade in terms of annual revenue -- an estimated $19 billion will have been stolen this year alone by fraudsters.
"We had to shut the operation down for good, which called for greater, more calculated measures," said Google. "To that end, it was critical that we played the long game, endeavoring to have a more permanent, more powerful impact against this and future ad fraud operations." Google subsequently formed a working group of 16 organizations comprising security vendors and law enforcement outfits, including the US Department of Homeland Security and the FBI's Internet Crime Complaint Center. After several months spent observing the operation, the group launched a sweeping shutdown that stymied 3ve's traffic over the course of just 18 hours.
Ad fraud is low-risk and potentially lucrative, but it's unusual for perpetrators to face criminal charges or significant consequences, so today's charges by the Department of Justice send a clear signal that it recognizes ad fraud as a serious crime. As Richard P. Donoghue, United States Attorney for the Eastern District of New York, commented, "This case sends a powerful message that this Office, together with our law enforcement partners, will use all our available resources to target and dismantle these costly schemes and bring their perpetrators to justice, wherever they are."