
Two Cybercrime Rings and Eight Defendants Indicted for Digital Advertising Fraud - NN88
https://www.justice.gov/usao-edny/pr/two-international-cybercriminal-rings-dismantled-and-eight-defendants-indicted-causing
======
jcampbell1
The interesting thing about ad fraud is the people that lose have no ability
to police the problem. Ad networks get paid for fraud. Intelligent ad buyers
that use cost-per-acquisition targeting, don't care because they just bid
lower if the traffic is a mix of fraud.

The losers are unsophisticated ad buyers such as the brand advertisers that
use ad agencies to fill their ads with garbage traffic. Proctor and Gamble has
recently figured that internet display is pretty much worthless. The other
losers are legit publishers. I am perfectly happy to pay $0.50 a click with
half the traffic being fraud, as I am willing to pay $1.00 a click for legit
traffic from legit publishers. I get the same result, buy my money gets split
50/50 between legit publishers and crooks.

I am mostly a dev, but have bought more than $1M in advertising on multiple
platforms. The biggest joke I have ever seen was AppNexus. It was like 70% or
more fraud, and it was the most obvious crap imaginable. For instance, all
clicks coming from 8 month old user agents for evergreen browsers.

Google Adwords and Double Click have been mostly clean. I'd say 85-90%. I do
see stuff that is obvious bullshit from time to time, and it goes away pretty
quickly and but Google doesn't refund the money. I don't really care... they
make it so we can police it pretty well. Facebook ads are completely clean,
but they don't run a network.

The simple rule for picking a ad platform is: if it isn't loaded with
performance advertisers (CPA), then stay the hell away.

~~~
DINKDINK
>Ad networks get paid for fraud

Ad networks value proposition is give us money and an ad and your revenue will
rise. If there's fraud that just dilutes the effectiveness of the proposition.
Eventually poor quality networks die in the same way that the market winnows
fertilizer etc. There is no free lunch

~~~
dillondoyle
Assumes attribution, which is a hard problem. If I can't measure whether a
digital ad campaign (in your case) increased revenue than I can't select for
best performing network. Attribution is also gamed and complex (last click,
cookie stuffing, modeled, outright fraud, etc)

------
cal5k
The most interesting part for me: "Furthermore, the defendants leased more
than 650,000 Internet Protocol (“IP”) addresses, assigned multiple IP
addresses to each datacenter server, and then fraudulently registered those IP
addresses to make it appear that that the datacenter servers were residential
computers belonging to individual human internet users who were subscribed to
various residential internet service providers."

That's... really smart. A lot of companies use services like MaxMind to do
this. I wonder how difficult it is to get a GeoIP data correction request
approved: [https://support.maxmind.com/geoip-data-correction-
request/](https://support.maxmind.com/geoip-data-correction-request/)

~~~
nradov
Scamming at that level requires so much skill and hard work that you have to
wonder why they don't start a legitimate business to make more money with less
risk? I suppose for some it's just for the thrill.

~~~
brazzledazzle
I think because it’s a different type of risk. With your own business the risk
is that you fail and don’t make money. With a scam you can make a bunch of
money for a long time before the risk of being caught ramps up. You’re quickly
(relatively) rewarded instead of agonizing over whether or not you will be.

~~~
cal5k
Well, they all live in Kazakhstan and Russia. It may not be so easy to convert
talent into legitimate business success, particularly when "cybercrime" (god I
hate that word) is often encouraged in places like Russia so long as it
targets non-Russians.

~~~
heavenlyblue
I don't think people in civilized countries even remotely understand the level
of desperation poorer people from those countries go through. VICE's
documentary about krokodil is actually quite good. Except when people watch it
they think it's about someone particularly far away from the average - but
it's not.

The chance of getting a visa to move out or starting a business, which can
only be oriented towards civilized countries if you'd like to make any money
at all... Is particularly low.

IT is one of those areas which you can still learn particularly well without
any access to textbooks or academia.

------
inetknght
> _the defendants leased more than 650,000 Internet Protocol (“IP”) addresses_

That's... a not-insignificant number of IPs to have. I wonder how many
different blocks were used and across which RIRs?

~~~
ryan-c
It was actually well over 800k.

Here's a list - note that many have been reassigned:
[http://methbot.s3-website-us-east-1.amazonaws.com/IPs-
CIDR.t...](http://methbot.s3-website-us-east-1.amazonaws.com/IPs-CIDR.txt)

------
badrabbit
Haha,this is kovter. It's a slick malware,always found the infection
interesting. It's fileless and uses javascript to start mshta which executes
powershell from the registry and so on. It was one of my favs, happy-sad they
took it down.

------
ryan-c
Some technical details:
[https://services.google.com/fh/files/blogs/3ve_google_whiteo...](https://services.google.com/fh/files/blogs/3ve_google_whiteops_whitepaper_final_nov_2018.pdf)
(note: I work for White Ops)

~~~
dillondoyle
By chance do you know if/where the collected 3ve js code will be published?
I'm specifically interested in looking at their js property patching

~~~
ryan-c
I don't think it's being published. The snippets in the paper were obtained
from process memory dumps by folks reversing the malware, so we don't really
have a good clean copy - just fragments.

~~~
dillondoyle
Interesting. Well if it ever gets published would love to see it! We have our
own js to help us model 'unique voters reached' and as one piece of fraud
reduction toolset (in addition to 3rd party providers). The given example in
pdf (maxchannelcount) is actually one piece of entropy we collect.

Now I'm thinking through this example,I'm going to try and test for these
monkey patched methods (not sure if can do it, but maybe md5(toSting) compare
to major browser native hashes?).

Sounds like you work for a verification vendor, if so have you had success
with detecting these 'monkey patches'?

~~~
ryan-c
I work for White Ops, which could reasonably be considered a verification
vendor, though we prefer to be known as a security company.

As you can imagine, specific techniques used for detecting fraudulent monkey
patching (or even whether we attempt to do so) aren't generally something I
can talk about.

That said, there are a few slides about the cat-and-mouse games of .toString()
here (starting about page 20):
[https://rya.nc/shmoo17](https://rya.nc/shmoo17) [PDF]

In short, using .toString() will find naive monkey patches, however it can be
overridden to varying degrees of cleverness.

~~~
dillondoyle
Of course they already thought of that lol. I really love the cleverness of
this 'game.' I probably spend far too much time tinkering with our own js
measurement script for how small we are but it's kind of addictingly fun.

Are you involved with sales or just engineering? My work email is in my
profile I might drop you a note though I am just guessing your product is too
expensive for our clients (mostly political campaigns).

~~~
ryan-c
I'm a researcher - I don't actually see your email in your profile, you have
to include it in the about text if you want it to be seen. I can put you in
touch with the right person in sales if you contact me (my personal email is
publicly visible).

~~~
dillondoyle
it's dillon @ 4degre.es

------
nyc_pizzadev
"Ad Network #1 rented more than 1,900 computer servers housed in commercial
datacenters in Dallas...spoofing more than 5,000 domains...leased more than
650,000 IP addresses...$7 million in ad fraud"

"Ad Network #2 carried out another digital ad fraud scheme...botnet...more
than 1.7 million infected computers...download fabricated webpages...$29
million in ad fraud"

------
ajsharp
Using your malware botnet to click on fake ads and generate 27mln in actual ad
rev is pretty damn crafty.

Only part I'm unclear on is whether they were actually operating the
network/marketplace, or just falsifying the publisher and user parts of it.
Sounds like the latter, in which case, I wonder which ad networks got gamed.

------
wyqydsyq
What impresses me is that three of them have already been arrested in various
countries, I wouldn't have expected such effective international cooperation
between intelligence/police services considering the countries they were
arrested in aren't exactly closely tied to the US

~~~
RugnirViking
The cynic in me says that this is because they weren't just hurting the
interests of the U.S. government - they were hurting the interests of the
largest mega-corporations on the planet.

------
mrhappyunhappy
Is there an easy way to check if your computer is compromised and is part of a
botnet?

~~~
tgragnato
It depends: you need to rely on an IoC to notice a piece of malware. This is
typically a signature, a direct communication with a known C2 or a malicious
URLs, a hash, ... Beyond the most simple techniques, I'd mention traffic
monitoring and analysis (especially traffic flow analysis) and behavioural
analysis.

However detecting a dormant botnet isn't easy nor simple. e.g.: DARPA (via
HACCS) awarded a $1.2m contract to build a system that can automatically
pinpoint botnet-infected devices.
[https://www.fbo.gov/?s=opportunity&mode=form&id=72de4936f6f4...](https://www.fbo.gov/?s=opportunity&mode=form&id=72de4936f6f4d88cc838a624c1157f26&tab=core&_cview=0)

------
_eht
I am curious if we'll actually see any extradition from any of the involved
countries.

~~~
qaq
I would imagine Estonia will cooperate as US is pretty much the only reason
Russia is not taking it over.

------
Myrmornis
> This kind of exploitation undermines confidence in the system, on the part
> of both companies and their customers,” stated FBI Assistant Director-in-
> Charge Sweeney.

Haha! What on Earth is "the system"?! Did he really say that? Bad criminals
spoiling our nice advertising system.

------
JumpCrisscross
> _the FBI executed seizure warrants to sinkhole 23 internet domains_

Sinkhole?

~~~
AnimalMuppet
Route them to nowhere. In particular, route them _not_ to servers controlled
by the criminals.

~~~
dsl
Actually they get routed to servers operated by security companies that log
incoming connections. This information is then shared with internet providers
and corporations to help disinfect the end users machines that are trying to
coordinate with the botnet.

~~~
vermilingua
Do they call up customers telling them their computer has been infected with a
virus? I am suddenly terrified that some non-zero percentage of those spam
calls may actually be legit, and that I may need to treat every one of them as
authentic (until they ask for teamviewer).

~~~
meowface
Yes, you may certainly receive a call or email. I've been on both the sending
and receiving end of those while working infosec at different companies.

------
gitpusher
In my mind, "normal" digital advertising only barely escapes the definition of
fraud.

~~~
drb91
Who doesn’t love to be manipulated constantly?

