Millions of bots, that is…
(Image credit: Shutterstock / Peshkova)
Earlier this year, the self-described “king of fraud” stood trial in a federal court in Brooklyn, New York. Aleksandr Zhukov was said to have defrauded the advertising industry of upwards of $7 million dollars, in what has been described as one of the most sophisticated ad fraud campaigns to date.
Although he pled not guilty, unlike his co-conspirators, Zhukov was ultimately convicted of four charges related to wire fraud and money laundering, and now awaits sentencing.
According to security company Human, which played a central role in bringing Zhukov to justice, the verdict sets an important precedent that will change the economics of fraud and go some way to discouraging future campaigns.
- Here’s our list of the best web hosting services around
- We’ve built a list of the best CDN providers available
- Check out our list of the best business web hosting available
More interesting than the verdict, though, are the techniques Zhukov and his team abused to game the digital advertising system. In short, he commandeered data center infrastructure and infected consumer devices to create armies of bots capable of generating billions of fake ad views per day.
“This internet that we love is fueled by slices of human attention,” Tamer Hassan, Human CEO, told TechRadar Pro. “What’s crazy is that the market is flooded with fake human attention and this has changed the economics of the web.”
“We see botnets designed to engage with ads, listen to music, watch TV and manipulate public sentiment. It all comes down to one question: if you can look like a million humans, what can you do?”
An army of millions
Botnets come in all shapes and sizes and can be used for various kinds of cybercrime, from DDoS attacks, spam and data theft to sniping limited stock on ecommerce websites.
Since 2016, Zhukov has assembled two different botnets, primarily for the purposes of defrauding members of the online advertising ecosystem: Methbot and 3ve (pronounced “Eve”).
To build the former, his group established more than 250,000 URLs under roughly 6,000 spoofed domains, mimicking the websites of major publishers to trick the algorithms that determine which ads are best placed where.
Using data center infrastructure and IP addresses acquired with forged registration data, the cybercriminals then launched massive volumes of fake traffic at the ads, raking in pay-per-click revenue. At its peak, Methbot was capable of simulating 300 million video ad views per day.
3ve was even more sprawling and complex, powered by both data center infrastructure and 1.7 million Windows devices infected via malvertising. This second botnet was capable of generating 12 billion fake ad requests per day across 10,000 spoofed domains, and evaded detection by imitating human behaviors such as mouse movement and clicks.
According to Hassan, these operations were both run in a highly professional manner, in the same way as a Silicon Valley startup.
“We’re not talking about kids trying to earn a little extra beer money here,” he said. “They were releasing code every two weeks on a Wednesday, they were running agile software development practices using Jira and other modern ticketing systems.”
“Like a fully professional software company, the operators had the ability to A/B test different approaches, as well as different parts of the bot operation, in order to insulate themselves from the fallout if one part was somehow cut off or shut down.”
One of the reasons Zhukov and others like him feel emboldened to scale fraud operations to these heights, Hassan explained, is that the potential for profit is high and the risk relatively low. Until recently, the worst case scenario for cybercriminals was that their operation would be discovered and shut down, but extradition and prosecution likely never crossed their minds.
Whose responsibility is it?
The digital advertising supply chain is extremely intricate, rivalling the complexity of financial trading. Between the business that wants to promote its product and the web user that receives the ad, there sit tens of different technology companies that provide the “pipes” that allow the system to function.
“Digital advertising is primarily bought and sold through ‘programmatic’ platforms. Publishers agree to feature ads alongside their content and use supply side platforms (SSPs) to auction their available ad space to advertisers. Advertisers use demand side platforms (DSPs) to bid on that available ad space based on how successful they think those ads will be in generating the interest of visitors,” explains a white paper co-authored by Human and Google.
“These auctions happen billions of times a day, in the milliseconds before a page loads on your browser, and inventory can be passed between many auctions before being matched with an advertiser who wants to place their ad on your screen.”
Zhukov and his team inserted themselves at both ends of this funnel, mimicking premium publishers to deceive advertisers and creating fake traffic to generate pay-per-click revenue from the spoofed domains.
As a consequence of operations like 3ve and Methbot, the cost per conversion shoots through the roof for advertisers, because the number of real humans viewing their ads is far smaller than it should be. These companies also end up inadvertently funding other illegal activities, such as malware development and ransomware operations.
On the other end of the spectrum, consumers are also victimized, with their devices used as soldiers in the botnet army. Beyond the fact these devices are abused to execute criminal operations, infection also puts the owners at risk of data theft and secondary attacks.
With so many stakeholders in the digital advertising ecosystem, it can be difficult to pinpoint who should be responsible for stopping fraud campaigns. Asked where he thinks responsibility should lie, Hassan said that both prevention and mitigation require a collaborative approach.
“In some respects, the advertiser is responsible for making sure their money is not going towards nefarious organizations. Then there’s a whole sell side of the ecosystem; content creators and the platforms that represent them need to ensure they are only opening up to human traffic too. The responsibilities are different for each player in the ecosystem – it’s shared.”
Playing offense, not defense
Despite the sophistication of Zhukov’s setup, his ad fraud campaigns were eventually unearthed as a result of a collaboration between a range of technology companies and intelligence agencies.
The initial warning signs were identified by Human researchers, who then took their discoveries to partners in the security and advertising industries, as well as looping in law enforcement.
The eventual result was a two-year collaboration between more than 30 private companies and six international agencies, leading ultimately to the seizure of the botnet infrastructure and extradition of four of the eight Russian cybercriminals named in the indictment.
The ultimate goal is to swing the economics of cybercrime, making it both harder to execute from a technical perspective and less profitable when successful. Hassan believes extensive collaboration, or “collective disruption”, is the only route to achieving this objective.
“Part of our thesis is that it’s not just about playing defense; we have to play offense and we have to do it as a collective. This is how security needs to evolve,” he told us.
“Any single company trying to unravel a botnet alone will find it’s hard to see the full picture. But if organizations work together, you start to paint the picture in a way that makes it very difficult or expensive for the other side. Everything else is just playing cat and mouse.”
The significance of the Zhukov conviction, says Hassan, is that the cost of fraud has changed forever. With potential jail time in the picture, the calculation for the next fraudster looks drastically different.