FBI, Cybersecurity Defenders Dismantle Bogus Digital Ad Network


The U.S. Justice Department has indicted eight alleged cyber scammers with running the bogus online advertising schemes 3ve and Methbot to swindle some $36 million from companies that believed they were paying to place legitimate ads on websites.

Of the racketeers in the 13-count indictment unsealed in federal court in Brooklyn, New York, Sergey Ovsyannikov, Yevgeniy Timchenko and Aleksandr Zhukov were arrested over the past month in Malaysia, Estonia and Bulgaria, respectively. The other five, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov and Aleksandr Isaev have not been apprehended, the Justice Department said in a statement.

“The defendants in this case used sophisticated computer programming and infrastructure around the world to exploit the digital advertising industry through fraud,” said Richard Donoghue, U.S. Attorney for the Eastern District of New York. “This case sends a powerful message that this office, together with our law enforcement partners, will use all our available resources to target and dismantle these costly schemes and bring their perpetrators to justice, wherever they are.”

The charges:
The charges included wire fraud, money laundering, aggravated identity theft and computer intrusion. The Federal Bureau of Investigation (FBI), the U.S. Department of Homeland Security (DHS) and a number of cybersecurity providers were part of the investigation and takedown, code-named Operation Eversion.

The scam:
In the Methbot scam, which ran from September 2014 to December 2016, Zhukov, Timokhin, Andreev, Avdeev and Novikov set up business deals with ad networks valued at $7 million for ad placeholders on real websites. Instead, the crew rented more than 1,900 servers housed in commercial datacenters in Dallas, Texas and elsewhere and used those systems to load ads on fabricated websites, spoofing more than 5,000 domains. At one point, the defendants controlled 700,000 IP addresses.

With 3ve, from December 2015 to October 2018, Ovsyannikov, Timchenko and Isaev created fake websites and site visitors by harnessing a botnet of 1.7 million computers infected with Boaxxe/Miuref and Kovter malware. The grifters made off with $29 million.

The takedown:

The FBI executed seizure warrants to redirect traffic (sinkhole) 23 internet domains used in the botnet-based scheme. The FBI also executed search warrants at 11 different U.S. server providers for 89 servers. Along the way, the FBI discovered a cyber crime infrastructure similar to 3ve located in Germany and a botnet in the U.S. infected with the Boaxxe malware. The FBI executed seizure warrants to sinkhole eight domains behind that scheme. And, the feds seized multiple international bank accounts in Switzerland and elsewhere associated with the racket.

Cybersecurity defenders that assisted in Operation Eversion:

  • White Ops
  • Google
  • Proofpoint
  • Fox IT
  • Microsoft
  • ESET
  • Trend Micro
  • Symantec
  • CenturyLink
  • F-Secure
  • Malwarebytes
  • MediaMath
  • National Cyber-Forensics and Training Alliance
  • Shadowserver Foundation.

DHS, FBI recommendations (to remediate Boaxxe/Miuref or Kovter infections):

  • Use and maintain antivirus software.
  • Avoid clicking links in email.
  • Change your passwords.
  • Keep your operating system and application software up-to-date.
  • Use anti-malware tools.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.