There are successful malicious campaigns, and then there are successful malicious campaigns. This story falls into the second category, as more than 1.7 million infected Windows-running computers were exploited for click fraud. The campaign has been dubbed 3ve, and has been analyzed with the coordinated effort of the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI).
In short, the operators behind 3ve created fake versions of premium websites and their visitors, and funneled the advertising revenue directly to their own pockets. 3ve obtained control over 1.7 million unique IPs by leveraging victim computers infected with Boaxxe/Miuref and Kovter malware, as well as hijacked Border Gateway Patrol IP addresses, the experts said in the official analysis.
Technical Overview of the 3ve Click Fraud Operation
The malware which was used in the infection chain of 3ve is a well-known varmint – Kovter. Back in 2016, a fileless strain of Kovter was detected, using a legitimate Mozilla Firefox browser update pack. In the latest infection cases, the malware seems to have been spread via spam email attachments and compromised websites, tricking users into downloading fake Chrome, Firefox and Flash updates.
Another piece of malware used in these attacks is Boaxxe/Miuref. The analysis shows that 3ve obtained control over 1.7 million unique IPs by leveraging systems infected with both Boaxxe/Miuref and Kovter malware, as well as hijacked Border Gateway Patrol IP addresses.
The Boaxxe malware is also spread through email attachments and drive-by downloads. It appears that the Boaxxe botnet is located in a data center, with hundreds of machines browsing to bogus websites. When these fake pages are loaded into a browser, requests for ads to be placed on these pages occur.
Then, the computers in the data center use the Boaxxe botnet as a proxy to make requests for these ads, the researchers said, with a command and control server sending instructions to the enslaved systems to make the ad requests, attempting to hide their true data center IPs.
Experts encourage users that believe they have been hijacked by the 3ve scheme to submit their complaints to www.ic3.gov and use the 3ve hashtag in the body of the complaint.