Like a Movie Plot: the 3ve Defrauding Scheme

Recently I read about the interesting fraud on digital advertising named “3ve”. It is possible to read about it for example on ArsTechnica here or in a paper by Google and White Ops here. But I kept thinking about this story and how much (at least to me) it resembles a movie plot, something like an Ocean’s movie. So, as the first blog entry of 2019 I have decided to write down a short background of facts and ideas that resembles a movie plot. Obviously, in what follows most technical details are skipped or not completely described, but if interested you can read the articles I mentioned above on the true story.

So here it goes.

We are all used to the advertisements which appear on web-sites and mobile apps pages. Indeed it is quite simple to make little money by reserving space for advertisement on a web-site. These advertisement spaces are used by digital advertising companies. The idea is that when a visitor clicks on an advertisement, the owner of the web-site earns a very small amount of money. But how to get a lot of money out of it?

By now it is a well-known fraud to create web-sites with advertisements and have programs to click on the advertisements. Digital advertising companies have therefore introduced countermeasures to be able to distinguish between a real person and a program.

But as usual, it is possible to have “smart” ideas…

To simulate real “persons” it is possible to:

  • create a web-site with plenty of space for advertisement
  • make a contract with a digital advertising company to place advertisements on your web-site
  • develop a special program which clicks on the advertisements on your web-site
  • rent one or more botnets of Personal Computers (PCs) infested with malware
  • install your program through the malware on these PCs.

This will make it look like as if the owner of the PC has visited your web-site and clicked on the advertisement. In principle you should be paid accordingly.

However there are costs not only due to the rental of the botnet, but also to the special program which must be continuously developed and updated. Indeed digital advertising companies are well aware of this fraud and monitor all clicks on the advertisements to distinguish between a real person and a program. They collect a lot of information on the visitor making the click like: cookies, fingerprint of the browser and PC, navigation on the web-site, language of the user etc. The special program must be able to fake all this information and all checks the digital advertising companies keep introducing.

And this in not all, also anti-viruses sooner or later identify the malware, the special program and clean up the PCs, which requires to start all over again.

Moreover digital advertising companies check also the internet IP address of the PC, its geolocalisation and the time of access to be sure that they are consistent. For example: it is not possible that millions of different “persons” click on the same advertisement connecting from the same unique IP address, or that millions of americans click on an advertisement in Europe in the middle of the night in a language they typically do not understand.

To bypass these checks, it is simpler to adopt the following:

  • set up your own servers (without anti-viruses)
  • run on these servers multiple copies of the special program
  • assign to the servers appropriate IP addresses that mimics a real person including location, timezone, language etc.

This eliminates the need for botnets, related malware and updates due to anti-viruses detection.

But how to get appropriate IP addresses? And here comes the “smart” idea…

First of all, it is necessary to create a few Internet Provider companies, for example one in Europe, one in North America etc., which host the servers and provide also access to internet to some normal companies so to gain business credibility.

The next step requires a short reminder on how internet IP addresses are assigned. Regional Internet Registries like ARIN, RIPE, APNIC, assign blocks of IP addresses to companies which ask for them. A company which asks for IP addresses, is assigned one (or more) Autonomous System (AS) number to which in turn are assigned the blocks of IP addresses.

However if a company closes, goes bankrupt etc. for some time the AS number and the blocks of IP addresses remain assigned to the company but are unused. So here is the trick:

  • identify valid but unused AS numbers and blocks of IP addresses
  • create fake contracts between the companies rightful assignee of the AS numbers and the Internet Provider you have created to fake business credibility
  • assign these AS numbers to the Internet Provider routers (this is called “BGP Hijacking”)
  • assign and fast permute the related IP addresses to the servers running your program.

This way of hijacking IP addresses has been until recently with low chances of detection.

Another way of hijacking blocks of IP addresses is to steal unused IP addresses assigned to active companies, that is to used AS numbers. But in this case there are higher chances of detection due to company checks.

There exists a relative high number of unused AS numbers and unused blocks of IP addresses with different geolocalisation and this makes it possible to fake millions of clicks which will bypass the elaborate checks of the digital advertising companies. In this way it is possible to steal millions of dollars from digital advertising companies.

In a movie plot the story would end here, the money would be collected and the entire operation would be closed down forever.

In real life it is not easy to keep such a big operation unnoticed. Indeed sooner or later digital advertising companies would wonder why a certain web-site generates so many clicks and they will start to investigate and “follow the money”. From the technical point of view, after a deeper investigation it would turn out that the visits to that web-site all come from the same Internet Provider and that most of the companies which are “customers” of the Internet Provider are actually closed or bankrupted. Moreover, companies that monitor traffic on all their used and unused IP addresses, will easily detect if some addresses have been hijacked.

In the real case of 3ve, after having managed to defraud the digital advertising companies of $29M, some of the culprits have indeed been caught and apprehended.