Earlier this year, the self-proclaimed “King of Fraud” was tried in federal court in Brooklyn, New York. Aleksandr Zhukov is said to have defrauded the advertising industry of more than $ 7 million, in what has been described as one of the most sophisticated ad fraud campaigns to date.
Despite pleading not guilty, unlike his co-conspirators, Zhukov was ultimately found guilty on four counts relating to wire fraud and money laundering, and is now awaiting conviction.
According to the security firm Human, which played a central role in bringing Zhukov to justice, the verdict sets an important precedent that will change the economy of fraud and to some extent deter future campaigns.
More interesting than the verdict, however, are the techniques that Zhukov and his team abused to play with the digital advertising system. In short, it requisitioned data center infrastructure and infected consumer devices to create armies of robots capable of generating billions of fake ad views per day.
âThis internet we love is fueled by slices of human attention,â said Tamer Hassan, CEO of Human. TechRadar Pro. “The crazy thing is that the market is inundated with false human attentions and it has changed the economy of the web.”
âWe are seeing botnets designed to interact with ads, listen to music, watch TV and manipulate public opinion. It all comes down to one question: if you can look like a million humans, what can you do? “
An army of millions
Botnets come in all shapes and sizes and can be used for various types of cybercrime, DDoS attacks, spam and data theft by sniping limited stock on e-commerce websites.
Since 2016, Zhukov has assembled two different botnets, primarily for the purpose of defrauding members of the online advertising ecosystem: Methbot and 3ve (pronounced “Eve”).
To build the first, his group established over 250,000 URLs under roughly 6,000 spoofed domains, mimicking the websites of major publishers to trick the algorithms that determine which ads are best placed where.
Using the data center infrastructure and IP addresses acquired with spoofed registration data, cybercriminals then launched massive volumes of fake traffic on the ads, generating pay-per-click revenue. At its peak, Methbot was able to simulate 300 million video ad views per day.
3ve was even more sprawling and complex, powered by both the data center infrastructure and 1.7 million Windows devices infected with malicious ads. This second botnet was capable of generating 12 billion bogus ad requests per day on 10,000 spoofed domains and escaped detection by mimicking human behaviors such as mouse movements and clicks.
According to Hassan, these operations were both carried out in a very professional manner, like a startup in Silicon Valley.
âWe’re not talking about kids here trying to make a little extra money for beer,â he said. âThey were releasing code every two weeks on a Wednesday, they were running agile software development practices using Jira and other modern ticketing systems. “
âLike a fully professional software company, operators had the flexibility to test different A / B approaches, as well as different parts of the bot’s operation, in order to isolate themselves from the fallout if one part was somehow cut or shut down. “
One of the reasons Zhukov and others like him feel emboldened to expand fraud operations to these heights, Hassan explained, is that the potential for profit is high and the risk relatively low. Until recently, the worst-case scenario for cybercriminals was for their operation to be discovered and shut down, but extradition and prosecution probably never crossed their minds.
Who is responsible?
The digital advertising supply chain is extremely complex, rivaling the complexity of financial commerce. Between the company that wants to promote their product and the Internet user who receives the ad, there are dozens of different technology companies that provide the âpipesâ that make the system work.
âDigital advertising is mainly bought and sold through ‘programmatic’ platforms. Publishers agree to run ads alongside their content and use offer-side platforms (SSPs) to auction their ad space available to advertisers. Advertisers use demand side platforms (DSPs) to bid on this available advertising space based on their ability to engage visitors, âexplains a white paper co-written by Human and Google.
âThese auctions take place billions of times a day, a few milliseconds before a page loads on your the browser, and inventory can be passed between many auctions before being matched with an advertiser who wants to place their ad on your screen. “
Zhukov and his team have slipped into both ends of this funnel, mimicking premium publishers to cheat advertisers and creating bogus traffic to generate pay-per-click revenue from spoofed domains.
As a result of operations like 3ve and Methbot, the cost per conversion skyrockets for advertisers as the number of real humans viewing their ads is much lower than it should be. These companies also end up inadvertently funding other illegal activities, such as malware development and ransomware operations.
On the other end of the spectrum, consumers are also victims, with their devices being used as soldiers in the botnet army. Beyond these devices being abused to carry out criminal operations, the infection also puts owners at risk of data theft and secondary attacks.
With so many stakeholders in the digital advertising ecosystem, it can be difficult to determine who should be responsible for stopping fraud campaigns. When asked where the responsibility should lie, Hassan said prevention and mitigation require a collaborative approach.
âIn some ways, the advertiser is responsible for making sure their money doesn’t go to bad organizations. Then there is a whole selling side of the ecosystem; content creators and the platforms that represent them need to ensure that they are also only open to human traffic. Responsibilities are different for each actor in the ecosystem, they are shared.
Play on offense, not on defense
Despite the sophistication of Zhukov’s setup, his ad fraud campaigns were ultimately unearthed through collaboration between an array of tech companies and intelligence agencies.
The first warning signs were identified by human researchers, who then passed on their findings to partners in the security and advertising sectors, as well as law enforcement.
The end result was a two-year collaboration between more than 30 private companies and six international agencies, ultimately leading to the seizure of the botnet’s infrastructure and the extradition of four of the eight Russian cybercriminals named in the act. charge.
The ultimate goal is to shift the economy away from cybercrime, making it both technically more difficult to execute and less profitable if successful. Hassan believes that extensive collaboration, or âcollective disruption,â is the only way to achieve this goal.
âPart of our thesis is that it’s not just about playing defense; we have to play offensive and we have to do it collectively. This is how security must evolve, âhe told us.
âAny business trying to unravel a botnet on its own will have a hard time seeing the big picture. But if the organizations work together, you start to paint the picture in a way that makes it very difficult or expensive for the other party. Everything else is just playing cat and mouse.
The significance of Zhukov’s conviction, Hassan says, is that the cost of fraud has changed forever. With a potential jail sentence in the picture, the math for the next fraudster looks drastically different.
- Check out our list of the best VPN services