1.7 Million Windows Computers Enslaved by 3ve Click Fraud Operators

There are successful malicious campaigns, and then there are successful malicious campaigns. This story falls into the second category, as more than 1.7 million infected Windows-running computers were exploited for click fraud. The campaign has been dubbed 3ve, and has been analyzed with the coordinated effort of the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI).

In short, the operators behind 3ve created fake versions of premium websites and their visitors, and funneled the advertising revenue directly to their own pockets. 3ve obtained control over 1.7 million unique IPs by leveraging victim computers infected with Boaxxe/Miuref and Kovter malware, as well as hijacked Border Gateway Patrol IP addresses, the experts said in the official analysis.

Related: Click-Ad-Fraud Kovter Malware Employs Firefox Update, Legitimate Certificate

Technical Overview of the 3ve Click Fraud Operation

The malware which was used in the infection chain of 3ve is a well-known varmint – Kovter. Back in 2016, a fileless strain of Kovter was detected, using a legitimate Mozilla Firefox browser update pack. In the latest infection cases, the malware seems to have been spread via spam email attachments and compromised websites, tricking users into downloading fake Chrome, Firefox and Flash updates.

Another piece of malware used in these attacks is Boaxxe/Miuref. The analysis shows that 3ve obtained control over 1.7 million unique IPs by leveraging systems infected with both Boaxxe/Miuref and Kovter malware, as well as hijacked Border Gateway Patrol IP addresses.

The Boaxxe malware is also spread through email attachments and drive-by downloads. It appears that the Boaxxe botnet is located in a data center, with hundreds of machines browsing to bogus websites. When these fake pages are loaded into a browser, requests for ads to be placed on these pages occur.

Then, the computers in the data center use the Boaxxe botnet as a proxy to make requests for these ads, the researchers said, with a command and control server sending instructions to the enslaved systems to make the ad requests, attempting to hide their true data center IPs.

Experts encourage users that believe they have been hijacked by the 3ve scheme to submit their complaints to and use the 3ve hashtag in the body of the complaint.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share