- A+
Cybercriminals behind this operation earned about $30M USD这次行动背后的网络犯罪分子赚了大约3000万美元
The Federal Bureau of Investigation (FBI), Google and multiple cybersecurity and digital forensics firms worked together to collapse one of the most complex digital advertising fraud schemes ever seen, which managed to infect more than 1.7 million computer equipment with the aim of generating fake clicks and deceiving online advertisers for years, so that the fraud operators achieved gains by tens of million dollars. 联邦调查局 (FBI), 谷歌以及多家网络安全和数字取证公司共同努力解决有史以来最复杂的数字广告欺诈计划之一,该计划设法感染超过170万台计算机设备,目的是产生虚假点击多年来欺骗在线广告商,使欺诈运营商获得了数千万美元的收益。
The fraudulent campaign, known as 3ve , has been active since 2014, at least, according to experts in digital forensics from the International Institute of Cyber Security.据国际网络安全研究所的数字取证专家称,自2014年起,这项名为3ve的欺诈活动至少已经开始运作 。 However, the malicious activities of its operators peaked last year, turning it into a large-scale business and generating about $30M USD in profits for the cybercriminals.然而,其运营商的恶意活动在去年达到顶峰,使其成为一项大型业务,为网络犯罪分子带来了约3000万美元的利润。
Meanwhile, the US Department of Justice (DoJ) reported that it has initiated an indictment of 13 criminal charges against 8 people in Russia, Kazakhstan, and Ukraine, who allegedly worked as campaign operators.与此同时,美国司法部 (DoJ)报道称,它已对俄罗斯,哈萨克斯坦和乌克兰的8人提起了13项刑事指控起诉,据称他们曾担任过竞选活动。
The 3ve operation employed various tactics during its activity time, such as creating its own botnets, spoofing websites, hijacking IP addresses, using proxies to hide real IP and infecting victims' computers with malware, all with the purpose of generating fake clicks in online advertising. 3ve操作在其活动期间采用了各种策略,例如创建自己的僵尸网络,欺骗网站,劫持IP地址,使用代理隐藏真实IP以及使用恶意软件感染受害者的计算机,所有这些都是为了在在线广告中产生虚假点击。
According to specialists in digital forensics , 3ve involved 1.7 million computers infected with malware, more than 80 servers and over a thousand fake websites through more than one million compromised IP addresses to generate from 3 to 12 billion ad bids requests daily.根据数字取证专家的说法,3ve涉及170万台感染恶意软件的计算机,超过80台服务器和超过一千个虚假网站,通过100多万个受到破坏的IP地址,每天产生300到120亿个广告出价请求。
According to the reports of Google and the participating cybersecurity firms, this fraudulent scheme was named 3ve because it is based on a set of three different sub operations, with each taking its own measures to avoid detection, in addition, each one is based on different architectures that use several components.根据谷歌和参与的网络安全公司的报告,这个欺诈计划被命名为3ve,因为它基于一组三个不同的子操作,每个都采取自己的措施来避免检测,此外,每个都基于不同的使用多个组件的体系结构。
“Operators constantly changed their methods to hide 3ve bots, allowing this operation to keep growing even after its traffic was detected. “运营商不断改变他们的方法来隐藏3个机器人,即使在检测到流量之后,这个操作也能保持增长。 When they were blocked in any site, they would reappear in a new one,” Google mentions.当他们在任何网站被封锁时,他们会重新出现在一个新网站中,“谷歌提到。 The three operations used in 3ve are: 3ve中使用的三个操作是:
- Boaxxe Malware Scheme (3ve. 1) Boaxxe恶意软件方案(3ve.1)
The first of the three 3ve sub operations were powered by botnets operating in data centers across Europe and the US.三个3ve子操作中的第一个由在欧洲和美国的数据中心运行的僵尸网络提供支持。 This operation used the Boaxxe botnet, also known as Miuref and Methbot, to obtain the IP addresses used to send the traffic proxy of the infected devices in the data centers and to visit fake and real web pages.此操作使用Boaxxe僵尸网络(也称为Miuref和Methbot)来获取用于在数据中心中发送受感染设备的流量代理并访问虚假和真实网页的IP地址。
As the time run, the operation transcended false requests on desktops, also reaching traffic on mobile devices with Android.随着时间的推移,该操作超越了桌面上的虚假请求,也在Android移动设备上实现了流量。
- Kovter malware Scheme (3ve. 2) Kovter恶意软件计划(3ve.2)
Here they used fake domains to sell fake inventories to advertisers.在这里,他们使用虚假域名向广告商出售虚假库存。 However, instead of using proxies to hide, campaign operators used a custom navigation agent on more than 700k computers infected with Kovter malware.但是,广告系列运营商不是使用代理隐藏,而是在感染了Kovter恶意软件的700多台计算机上使用了自定义导航代理。
This operation used redirect servers, ordering infected computers to visit spoofed web pages.此操作使用重定向服务器,命令受感染的计算机访问欺骗性网页。
- IP data Centers (3ve. 3) IP数据中心(3ve.3)
The third sub operation associated with 3ve was similar to 3ve.1.与3ve相关的第三个子操作类似于3ve.1。 Bots were set up in some data centers, but to cover their tracks, operators used the IP addresses of other data centers, as proxies, rather than residential computers.在一些数据中心设置了机器人,但为了覆盖他们的轨道,运营商使用其他数据中心的IP地址作为代理,而不是住宅计算机。
End of Operation 3ve 操作结束3ve
After 3ve's activity grew in 2017, Google, along with other digital forensics firms that had detected the operation, began its shot down operation.在2017年3年的活动增长之后,谷歌以及其他检测到这项业务的数字取证公司开始了其击落行动。
Thanks to this joint work, the FBI managed to seize 31 domains and 89 servers that were part of the structure of 3ve.由于这项联合工作,FBI设法夺取了31个域名和89个服务器,这些都是3ve结构的一部分。 Private organizations also helped blacklisting the 3ve infrastructure involved in the advertising fraud scheme and traffic to malicious domains.私人组织还帮助将参与广告欺诈计划的3ve基础设施列入黑名单,并将流量引入恶意域名。
