Before the Dust Settles on a Major Ad-Fraud Investigation, Others Are Underway

As the ad-tech world continues to soul-search after the indictments and arrests of several foreign nationals related to a massive ad-fraud scheme, another firm says it’s investigating a similar case involving another 30 fake ad networks. The ad-tech cybersecurity firm Devcon says it’s spent the past two months investigating a similar case involving at least 30 fake ad networks. The company, based in Memphis, has already passed along information to the FBI. Within the fake ad networks being investigated by Devcon, the company has seen one of several key characteristics. Michael F D Anaya, Devcon’s head of global cyber investigations, said the bots sometimes install malicious apps that might include ransom ware, while others install tools for fake optimization aimed at getting the users to divulge more information than they should. Another is the propagation of bots that say a user needs to update their software, but when they click on it their device becomes part of the bot net. According to Devcon co-founder and CEO Maggie Louie, about 96 percent of the infected devices they’ve seen so far have been iPhones, along with a much smaller number of Windows desktop computers. About 80 percent of those have been involved with malicious redirects. Both the investigation by Devcon and a much larger one unsealed earlier this week by the FBI have revealed the increased complexity of the digital ad-fraud schemes while illustrating how hard they can be to both detect and prosecute. And sometimes it takes years spying on the botnets before they’re understood enough to fully identify and take down. Google—which along with two dozen companies helped the FBI investigate the botnet known as 3ve—started noticing anonymous signals in its system as far back as 2017. At the time, what they found was what looked like a modest, low-level botnet that had a minimal impact on business. “You don’t want to just kind of take them down once and have them tweak things and come back the net day,” said Scott Spencer, Google's director of product management for sustainable ads. The company initially internally nicknamed it “ChefBot,” but soon learned it was able to act in a way that others couldn’t in the past. However, using automated systems including advanced machine learning to look for anomalies in the bots and reverse-engineering them led Google to realize it was an invalid traffic operation much broader than Google’s inventory. They also soon realized the cybersecurity firm White Ops was also working on an investigation of its own. According to Tamer Hassan, co-founder and chief technology officer of White Ops, the botnet that became known in the FBI indictments as 3ve was the “largest and most sophisticated” the company had ever seen. The first version—known as Eve.1—was part “old school”—taking a page out of email spam by hijacking IP addresses and gateway protocols to acquire as many IP addresses as it could. However, Eve.2 was different, using malware to tunnel through machines undetected. The international scale of the operation also made it difficult to detect. "There’s a thing that’s happened in the security and fraud world over the last decade of it becoming more of a specialized market in the ecosystem,” Hassan said. “The dark web, the gray market ... one of the theories we’ve had is behind large operations like this, it’s not just a single group.” Because of that specialization, different aspects of the botnet become more diverse and complex. One might be focused on developing malware that’s persistent, while another might be building anti-forensics to check on a device’s security system before infecting it. That allows the malware to shut itself down if it notices any security firms investigating it. “You can almost think of it as a supply and distribution,” Hassan said. “Almost like cartels.” The cartels in question even date farther back, all the way to 2011, when Proofpoint first tracked a botnet it called KovCoreG that evolved from malware to ad-fraud populating on websites including Pornhub, which the company took down last fall. According to Chris Dawson, threat intelligence lead at Proofpoint, the anti-analysis built into some of the bots makes it hard for researchers to notice malware because it often looks like human traffic. "As researchers, there are some times when you have to sit on some knowledge to understand how things work and develop defenses against it,” he said. The scale and specialization of modern botnets is why many in the ad-tech, government and cybersecurity sectors have been both celebrating the collaboration that led to three arrests related to 3ve—and calling for more of it. The Trustworthy Accountability Group, a trade organization, for example, is creating a "threat exchange" program to help various organizations share information about cybercrime threats and investigations. That’s one reason Anaya—who worked in the cybercrime division of the FBI before joining Devcon—thinks more private-sector companies should hire former government officials in order to understand how each groups works. For example, he said he often didn’t realize that when the FBI shows up at a business, companies think they’re in trouble when the government actually just didn’t do a good enough job of explaining they were a victim and not a culprit. "When I share information with someone, I trust that they’re not going to share it with someone else,” he said. Getting the private and public sectors to share information hasn’t always been the easiest thing to do. That’s partially based on a lack of trust, but also based on neither side knowing what information to share—or what the other is looking for. Anaya said the government has to protect what it knows in order to prevent an investigation from being compromised. “When I was with the FBI and I would talk to a company they would say, ‘We suffered a $3.2 million loss,’” he said. “I’d say, ‘This is really interesting. Did you share it with anyone?’ They would say they didn’t know it was important.”