Man
Professional
- Messages
- 3,222
- Reaction score
- 876
- Points
- 113
Earlier this year, self-described “digital fraud king” Alexander Zhukov went on trial in Brooklyn, New York, accused of running more than $7 million in online advertising fraud operations that were considered the largest and most sophisticated cybercriminal campaigns to date.
Although Zhukov did not admit his guilt, unlike his accomplices, the jury ultimately convicted him on four counts of bank fraud and money laundering.
Cybersecurity company Human, which played a key role in bringing Zhukov to trial, believes that this verdict is becoming a precedent. It could significantly affect all other decisions regarding economic crimes in the field of digital fraud.
But what is interesting is not so much the verdict itself, but the fraud techniques invented by Zhukov and his team, which they used to deceive advertisers. In short, he infected users' devices through hacked data center infrastructure and created an army of bots from them, capable of generating billions of pseudo-views of advertisements per day.
“The internet as a whole is all about views and clicks,” says Tamer Hassan, chief executive of Human. “And what’s most incredible is that it’s teeming with fake views and clicks that are changing the entire digital economy. There are botnets that are designed specifically to interact with ads, listen to music, watch TV, and manipulate public opinion. And that brings us to the big question: What would you do if you could imitate the actions of millions of real users?”
Contents
1. The name of this army is a million
2. Who is responsible for all this?
3. Play attack, not defense
Beginning in 2016, Zhukov created two botnets primarily for the purpose of defrauding participants in the online advertising ecosystem: Methbot and 3ve (pronounced "Eve").
For the first botnet, he and his team created more than 250,000 URLs on about 6,000 fake domains. This way, they imitated large webmaster resources and deceived verification algorithms on advertising platforms.
Using data center infrastructure and IP addresses purchased using fake login credentials, cybercriminals unleashed a deluge of fake PPC (pay-per-click) ad traffic. At its peak, Methbot was capable of simulating 300 million video ad views per day.
The 3ve botnet was more complex and extensive in functionality. It had access to data centers and 1.7 million Windows devices infected with malware.
Mr. Hassan acknowledged that both operations were carried out with high quality, like a Silicon Valley startup.
“This is not some childish prank,” he says. “They were updating the malware code every two weeks on the same day and using agile software development methods, using Jira and other modern ticketing systems.”
“As with any IT company that develops software, operators conducted A/B testing and looked for all sorts of approaches, as well as tested the bots for functionality in case of unforeseen situations.”
One of the reasons Zhukov and others on his team were so brazen in their massive fraudulent operations was that the potential rewards were outweighed by the risks, Mr Hassan said. Until recently, the worst-case scenario for cybercriminals was that their activities would be discovered and simply blocked, with extradition and prosecution probably not even an option.
Online advertising is mostly bought and sold on automated platforms. Webmasters agree to place ads on their resource pages and sell space for them at auction using SSP (Supply-Side Platform) technology.
Advertisers select and buy available places from webmasters at auction using DSP technology (Demand-Side Platform), focusing on the quality of the link, its traffic and other indicators.
These auctions are conducted billions of times a day, resulting in personalized ads being displayed in your browser within a fraction of a second of the page loading time.
Zhukov and his team placed themselves on both sides of this advertising funnel, impersonating webmasters with premium sites to deceive advertisers and creating fake traffic to generate revenue from PPC advertising on fake domains.
As a result of these operations — 3ve and Methbot — the cost per conversion for advertisers skyrocketed, but the number of real users viewing the ads was several times lower. Thus, the companies did not even suspect that they were inadvertently funding fraud and other illegal activities, such as malware development or extortion of bank funds.
On the other side are casual users who also become victims of this activity, as their devices are infected with malware and used as “zombies” in the botnet army. In addition to these devices being abused to carry out criminal operations, the infection also exposes the owners to the risk of data theft and secondary attacks.
With so many stakeholders in the digital advertising ecosystem, it can be difficult to determine who is responsible for stopping fraudulent attacks. According to Mr. Hassan, the responsibility lies with all parties.
To some extent, the advertiser is responsible for ensuring that their money is not spent on dishonest purposes. Especially since there is an entire advertising ecosystem for this; webmasters and platforms also need to be sure that they are open only to real human traffic. Each participant has their own responsibilities.
Over the course of two years, more than 30 private companies and six international agencies monitored the group, succeeding in shutting down the botnet and securing the extradition of four of the eight Russian cybercriminals who stood trial.
The goal of all this concerted effort was to change the economics of cybercrime, making it technically harder for fraudsters to carry out their schemes and making the activity less profitable. Mr. Hassan believes that this kind of large-scale cooperation, or “collective resistance,” is the only way to achieve this goal.
"Part of our thesis was that we shouldn't just play defense. We need to play offense, and we need to do it together. That's how the fight against click fraud should develop," he concluded.
"Any company that tries to uncover a botnet on its own will find it difficult to see the full picture. But when companies work together, it makes it harder for the scammers to do anything. Anything else is just a game of cat and mouse."
A guilty verdict for Zhukov, according to Mr. Hassan, is very significant, since it changes the risks and cost of all advertising fraud, since it can entail imprisonment. Sometimes another such "Zhukov" will think whether it is worth committing such a crime at all.
Although Zhukov did not admit his guilt, unlike his accomplices, the jury ultimately convicted him on four counts of bank fraud and money laundering.
Cybersecurity company Human, which played a key role in bringing Zhukov to trial, believes that this verdict is becoming a precedent. It could significantly affect all other decisions regarding economic crimes in the field of digital fraud.
But what is interesting is not so much the verdict itself, but the fraud techniques invented by Zhukov and his team, which they used to deceive advertisers. In short, he infected users' devices through hacked data center infrastructure and created an army of bots from them, capable of generating billions of pseudo-views of advertisements per day.
“The internet as a whole is all about views and clicks,” says Tamer Hassan, chief executive of Human. “And what’s most incredible is that it’s teeming with fake views and clicks that are changing the entire digital economy. There are botnets that are designed specifically to interact with ads, listen to music, watch TV, and manipulate public opinion. And that brings us to the big question: What would you do if you could imitate the actions of millions of real users?”
Contents
1. The name of this army is a million
2. Who is responsible for all this?
3. Play attack, not defense
The name of this army is one million
Botnets come in many different types and sizes. They are used to the maximum in fraudulent cybercrimes - from DDoS attacks, spam and identity theft to quick buyouts of limited collections of goods on online shopping sites.Beginning in 2016, Zhukov created two botnets primarily for the purpose of defrauding participants in the online advertising ecosystem: Methbot and 3ve (pronounced "Eve").
For the first botnet, he and his team created more than 250,000 URLs on about 6,000 fake domains. This way, they imitated large webmaster resources and deceived verification algorithms on advertising platforms.
Using data center infrastructure and IP addresses purchased using fake login credentials, cybercriminals unleashed a deluge of fake PPC (pay-per-click) ad traffic. At its peak, Methbot was capable of simulating 300 million video ad views per day.
The 3ve botnet was more complex and extensive in functionality. It had access to data centers and 1.7 million Windows devices infected with malware.
The botnet was able to generate 12 billion pseudo-clicks on ads per day on 10,000 fake websites. It easily avoided the protection system - the bots imitated the behavior of real users, for example, moving the mouse or clicking on the page.
Mr. Hassan acknowledged that both operations were carried out with high quality, like a Silicon Valley startup.
“This is not some childish prank,” he says. “They were updating the malware code every two weeks on the same day and using agile software development methods, using Jira and other modern ticketing systems.”
“As with any IT company that develops software, operators conducted A/B testing and looked for all sorts of approaches, as well as tested the bots for functionality in case of unforeseen situations.”
One of the reasons Zhukov and others on his team were so brazen in their massive fraudulent operations was that the potential rewards were outweighed by the risks, Mr Hassan said. Until recently, the worst-case scenario for cybercriminals was that their activities would be discovered and simply blocked, with extradition and prosecution probably not even an option.
Who is responsible for all this?
The digital advertising organization scheme is extremely complex and can compete in complexity with the financial trading sphere. Between the advertiser who promotes his goods and the Internet user as the end consumer of the advertisement there are dozens of different IT companies, thanks to which this entire network functions.Online advertising is mostly bought and sold on automated platforms. Webmasters agree to place ads on their resource pages and sell space for them at auction using SSP (Supply-Side Platform) technology.
Advertisers select and buy available places from webmasters at auction using DSP technology (Demand-Side Platform), focusing on the quality of the link, its traffic and other indicators.
These auctions are conducted billions of times a day, resulting in personalized ads being displayed in your browser within a fraction of a second of the page loading time.
Zhukov and his team placed themselves on both sides of this advertising funnel, impersonating webmasters with premium sites to deceive advertisers and creating fake traffic to generate revenue from PPC advertising on fake domains.
As a result of these operations — 3ve and Methbot — the cost per conversion for advertisers skyrocketed, but the number of real users viewing the ads was several times lower. Thus, the companies did not even suspect that they were inadvertently funding fraud and other illegal activities, such as malware development or extortion of bank funds.
On the other side are casual users who also become victims of this activity, as their devices are infected with malware and used as “zombies” in the botnet army. In addition to these devices being abused to carry out criminal operations, the infection also exposes the owners to the risk of data theft and secondary attacks.
With so many stakeholders in the digital advertising ecosystem, it can be difficult to determine who is responsible for stopping fraudulent attacks. According to Mr. Hassan, the responsibility lies with all parties.
To some extent, the advertiser is responsible for ensuring that their money is not spent on dishonest purposes. Especially since there is an entire advertising ecosystem for this; webmasters and platforms also need to be sure that they are open only to real human traffic. Each participant has their own responsibilities.
Play attack, not defense
As sophisticated as Zhukov’s schemes were, his fraudulent advertising campaigns were eventually uncovered thanks to the cooperation of IT companies with intelligence agencies. The first signals of cybercrime were identified by researchers at Human. The findings and research were shared with partners in the security and advertising industries, as well as law enforcement agencies.Over the course of two years, more than 30 private companies and six international agencies monitored the group, succeeding in shutting down the botnet and securing the extradition of four of the eight Russian cybercriminals who stood trial.
The goal of all this concerted effort was to change the economics of cybercrime, making it technically harder for fraudsters to carry out their schemes and making the activity less profitable. Mr. Hassan believes that this kind of large-scale cooperation, or “collective resistance,” is the only way to achieve this goal.
"Part of our thesis was that we shouldn't just play defense. We need to play offense, and we need to do it together. That's how the fight against click fraud should develop," he concluded.
"Any company that tries to uncover a botnet on its own will find it difficult to see the full picture. But when companies work together, it makes it harder for the scammers to do anything. Anything else is just a game of cat and mouse."
A guilty verdict for Zhukov, according to Mr. Hassan, is very significant, since it changes the risks and cost of all advertising fraud, since it can entail imprisonment. Sometimes another such "Zhukov" will think whether it is worth committing such a crime at all.