Massive Ad Fraud Scheme Relied on BGP Hijacking

This is a really interesting story of an ad fraud scheme that relied on hijacking the Border Gateway Protocol:

Members of 3ve (pronounced "eve") used their large reservoir of trusted IP addresses to conceal a fraud that otherwise would have been easy for advertisers to detect. The scheme employed a thousand servers hosted inside data centers to impersonate real human beings who purportedly "viewed" ads that were hosted on bogus pages run by the scammers themselves­ -- who then received a check from ad networks for these billions of fake ad impressions. Normally, a scam of this magnitude coming from such a small pool of server-hosted bots would have stuck out to defrauded advertisers. To camouflage the scam, 3ve operators funneled the servers' fraudulent page requests through millions of compromised IP addresses.

About one million of those IP addresses belonged to computers, primarily based in the US and the UK, that attackers had infected with botnet software strains known as Boaxxe and Kovter. But at the scale employed by 3ve, not even that number of IP addresses was enough. And that's where the BGP hijacking came in. The hijacking gave 3ve a nearly limitless supply of high-value IP addresses. Combined with the botnets, the ruse made it seem like millions of real people from some of the most affluent parts of the world were viewing the ads.

Lots of details in the article.

An aphorism I often use in my talks is "expertise flows downhill: today's top-secret NSA programs become tomorrow's PhD theses and the next day's hacking tools." This is an example of that. BGP hacking -- known as "traffic shaping" inside the NSA -- has long been a tool of national intelligence agencies. Now it is being used by cybercriminals.

EDITED TO ADD (1/2): Classified NSA presentation on "network shaping." I don't know if there is a difference inside the NSA between the two terms.

Posted on December 28, 2018 at 6:43 AM • 20 Comments

Comments

Peter S. ShenkinDecember 28, 2018 9:06 AM

Just another example of the democratization of espionage, pioneered by Snowden and Assange.

HumdeeDecember 28, 2018 10:03 AM

@Peter writes, "Just another example of the democratization of espionage, pioneered by Snowden and Assange."

As opposed to the corporatization of espionage pioneered by Google, CISCO, AT&T, and Intel.

Impossibly StupidDecember 28, 2018 10:28 AM

While online advertising tactics make it really hard to cry for them when they get scammed like this, the general security problems it highlights are pretty bad. Most galling to me is the level of incompetence exhibited by the people who received reports of abuse early on but did nothing to correct their procedures. Not only should jobs be lost, at this point it really seems like entire organizations should be disbanded and replaced by ones that actually give a damn about doing things right.

Clive RobinsonDecember 28, 2018 3:03 PM

Perhaps it should be mentioned that,

    There is no honour amongst marketers and thieves.

Many of us rate Internet marketers as being equivalent or worse than thieves out of gut instinct. But part of this story confirms it in big bold letters.

From what has been said the fact that the ads were being scamed was known to people all the way along the chain from the thieves themselves upto and including the agency taking the money from the company placing the adds.

There was no incentive --in fact the opposit-- for those along the chain to report back what they were only too aware of, that a scam was going on.

So whilst the official criminals in this story walked away with millions, we should perhaps be asking how many more millions were taken by those in the marketing chain who had almost certain knowledge a scam was going on but did nothing so the profit kept walking in their door...

Rach ElDecember 28, 2018 3:46 PM

3ve (pronounced "eve")


No. It's pronounced 'three-ve'. Unless you're an illiterate Silicon Valley startup marketing officer or CEO. Thus granted permission to take juvenile liberties with english pronunciation and spelling when naming something


Rach ElDecember 28, 2018 3:48 PM

Although, a 3 backwards becomes a E. A bit like Sesame Street. That's known as dyslexia. That can't be held against someone. Just run it through spell check first

Clive RobinsonDecember 28, 2018 4:05 PM

@ Rach El,

Although, a 3 bacwards becomes a[n] E

It's part of L33t (Leet) speak, apparently very small persons thought bigger persons would not understand it. Now a decade or so later those very small persons are now bigger persons they understand why everybody else "dissed them" when they were L33t...

MrCDecember 29, 2018 4:54 AM

I've got a question arising from my unfamiliarity with the topics at hand. How exactly does the BGP hijacking conceal the click fraud from discovery? The article makes clear that the miscreants were involved in both activities, but the nexus between them was clear as mud.

Impossibly StupidDecember 29, 2018 11:51 AM

@MrC

It works because the routing takes place at a lower level than ad networks (or most auditing) monitor. Maybe think of it like someone hacking GPS so that it falsely reports your location. Your weather app (or self-driving car or whatever) isn't sophisticated enough to figure out something is off, so it'll "work" like it always does, but the results will range from confusing to deadly. And for ad networks, like Clive said, there's big money in intentionally turning a blind eye to fraud that's happening "externally". There's tons of plausible deniability when you can point to some other confounding factor(s).

TomS.December 29, 2018 3:49 PM

@MrC:

The Google / White Ops paper describes this in fairly understandable terms. The paper seems not to target technical audiences or other researchers. I found it long on adjectives and short on the network level details. The Ars article and links within were more informative.

The group fraudulently used three IP resources, Autonomous System Numbers (ASNs), IP address ranges, and Internet Routing Registry entries (IRR). This constitutes the BGP component used in one of the three sub-campaigns. Attackers also compromised end-user systems and datacenter servers.

Ad networks characterize the source of the clicks for fraud detection. Consider an attacker having compromised servers at a cloud or hosting provider. A bunch of ad clicks coming from datacenter address ranges get flagged as fraudulent by the ad network, and the attacker doesn't get paid.

Now, setup some fraudulent IP infrastructure. Make it so that traffic from the datacenter is proxied (relayed) through that fraudulent infrastructure. You get the processing capacity and bandwidth of data centers, but the look of networks with people instead of servers.

A little more detail:
The group owned at least two legitimate ASNs. They stole ASN's & IP ranges that were neglected by current owners or had gone defunct. They associated stolen ASN's and stolen IP ranges together. They fraudulently made IRR entries to lend validity to the theft. They purchased internet access and propagated fraudulent information into the global BGP routing tables through the legitimate resources they owned.

At least two persons spotted pieces of the fraudsters' theft and sounded alarms one or more years ago.

Overall, the BGP hijack was a relatively small part of the smaller of the three campaigns under the 3ve umbrella.

I think the fraudsters worked hard at finding and exploiting cracks: unattended assets, lack of security by IP resource owners, stale databases, and lack of reconciliation between Regional Internet Registries.

If we're not willing to work harder than the bad guys to keep our stuff, we lose.

MrCDecember 29, 2018 7:22 PM

Thank you TomS. That clears up the question completely.

I've got two more questions:

1. It appears that the miscreants essentially set up a fake ISP through which to route their clicks. What if they were a real ISP? If, for instance, Comcast were to add 5% click fraud on top of their legitimate customers' traffic, could that be detected?

2. Why should I care? I've got no love for ad networks, and, thanks to ad-blocking browser extensions, I see very, very few ads. So, this story to me feels like someone else's gonorrhea virus fell for a scam. Does click fraud redound to anyone beyond the advertisers and Google's shareholders in some way that isn't obvious at first?

TomS.December 30, 2018 12:22 AM

@MrC
I think your last question is more important than the first, so I've taken the liberty of answering out of order.

Does click fraud redound to anyone beyond the advertisers and Google's shareholders in some way that isn't obvious at first?
I believe the answer is a resounding yes. A caveat first. I know very little about the online ad market beyond helping a couple of local small business with some keywords and prices.
  1. The fraud increases the prices that honest advertisers have to pay to have their message show up. Of note, part of 3ve's fraud was fake webservers creating fake space to display ads that got sold to real buyers whose ads were clicked on by fake browsers. That means your ad budget was eaten by bots, and never displayed to real potential customers.
  2. Fraud incentivizes ad providers to ever more invasive browser fingerprinting and user tracking techniques. Not that I think a lack of fraud will reduce those activities. A decline in fraud would remove a justification the networks use, making it easier to fight other motives.
  3. Ever increasing effort to combat intrusiveness and preserve a measure of privacy. Sure, you can do it. How about family that you help, youth, elders that you care for?
If Comcast were to add 5% click fraud on top of their legitimate customers' traffic, could that be detected?
Assuming roughly equal distribution of customers between Comcast and other "eyeball" networks, those with people on them, then I'd guess it would be possible. I do not know how sensitive the fraud detection algorithms are. Pure speculation follows. Assume an ad network sees a click-through rate of x% across all impressions. Data analysis lets them see by income level, geography, gender, etc. Now introduce the ISP Y based fraud. If ISP Y starts showing an x+5% increase in response across all ad impressions relative to other eyeball nets, that might stick out. Could one make it a small enough percentage to hide in the noise but remain profitable? I won't be the one conducting that experiment.


There's a saying, "Hogs get slaughtered, pigs get fed." Here's an example. In the glory days of online poker, some were headquartered in Central America. A hacking group compromised a router feeding one of the biggest online sites. They cut off access for a short period of time and demanded millions of dollars. They got the money. Over a period of time, many died. Later, another group compromised the same router. They asked for, and received, regular payments of lesser value. They lived, or so the story goes.

Rach ElDecember 31, 2018 12:00 AM

TomS

Here's an example. In the glory days of online poker, some were headquartered in Central America. A hacking group compromised a router feeding one of the biggest online sites. T


Do you have a link to this story?

TomS.December 31, 2018 1:15 PM

Before posting, I checked my archives and couldn't find a link. Multiple 'Net searches failed as well. Nothing @ Snopes either. I've reached out to a friend, but won't hear back for a while.

I can't independently confirm the story.

JimmyJanuary 1, 2019 6:07 AM

@MrC,

The true fraud is on us all... think of it all as a way to funnel money to intended receivers. those who are not intended recipients are what they all fraudsters.

this puts the "onus" away from the system designers and puts it onto the system's users, thru an indefinitive interpretation of "intended usage."

DanielleApril 4, 2019 7:50 AM

BGP hijacking happens almost on a daily basis and represents a serious security threat to public Internet. Unfortunately, the well-known BGP hijacking prevention options do not represent the universal remedy for the problem. The benefits of BGPsec implementation can only be obtained once a large number of ASes deploy it, which in its turn depends on individual ASes business objectives. RPKi and BGPsec solutions are far from within reach of being fully utilized. Prefix filtering on the client side should help prevent most instances of leaks and accidental hijacking, along with adequate filters on the connected provider side.

For truly malicious hijacking, the only option is to hope that the connected provider has adequate filters, to monitor where your prefixes are being announced from and, if needed, announce smaller prefixes so that control can be regained, until the incident can be resolved with the malicious announcers’ upstream providers.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.