Hacker group behind massive advertising fraud campaigns taken down
28 November 2018
Eight prominent members of a cybercriminal group that carried out multi-million-pound digital advertising fraud campaigns that included wire fraud, computer intrusion, aggravated identity theft and money laundering in several countries were recently indicted on thirteen counts by a U.S. court.
The cybercriminal group, dubbed the KovCoreG group by security researchers at Proofpoint, used the Kovter ad malware to carry out digital advertising fraud activities through social engineering tricks and by bypassing malware sandbox systems.
Kovter ad malware exposed millions of Internet users
In just over a year, the group exposed millions of potential victims in the US, Canada, the UK, and Australia after leveraging slight variations on a fake browser update scheme that worked on all three major Windows web browsers.
The group was also behind the well-known ad fraud malware attack on PornHub last year that exposed millions of users who visited the website via Google Chrome, Firefox and Microsoft Edge browsers.
According to Proofpoint, the KovCoreG group hacked into Pornhub advertising and posted fake browser updates to induce visitors to click on them. While Chrome and Firefox users were asked to click on such links to update their browsers with the latest fixes, Microsoft Edge users were offered an update to the Adobe Flash Player.
Once a visitor clicked on such a link, he/she was asked to open a download file which contained zipped files known either as runme.js, firefox-patch.js or FlashPlayer.hta, depending upon the browser being used. Once these files were downloaded and run by visitors, they downloaded payloads that contained Powershell scripts that embedded shellcodes. These shellcodes launched ‘avi’ files which were, in fact, Kovter ad fraud malware which then took control of devices and generated clicks for fraudulent advertisements.
Massive advertising fraud that reaped millions
According to the U.S. Department of Justice, rather than placing advertisements on real publishers’ websites, the group rented more than 1,900 computer servers housed in commercial datacenters in Dallas, Texas and elsewhere, and used those datacenter servers to load ads on fabricated websites, thereby “spoofing” more than 5,000 domains.
The group also leased more than 650,000 IP addresses, assigned multiple IP addresses to each datacenter server, and then fraudulently registered those IP addresses to make it appear as if the datacenter servers were residential computers belonging to individual internet users who were subscribed to various residential ISPs.
This way, the group was able to falsify “billions of ad views and caused businesses to pay more than $7 million for ads that were never actually viewed by real human internet users”.
At the same time, the hacker group also caused a further $29 million loss to businesses by using a large network of 1.7 million malware-infected computers without the knowledge of the owners of such computers and used hidden browsers on those infected computers to download fabricated webpages and load ads onto those fabricated webpages.
“These individuals built complex, fraudulent digital advertising infrastructure for the express purpose of misleading and defrauding companies who believed they were acting in good faith, and costing them millions of dollars. This kind of exploitation undermines confidence in the system, on the part of both companies and their customers,” ssid FBI Assistant Director-in-Charge Sweeney.
“KovCoreG demonstrates how a financially motivated actor can adapt, evolve, and innovate over several years, influencing the threat landscape while remaining effective and viable as they fly under the radar of law enforcement, the sites and ad networks they abuse, and end users. KovCoreG also provides a window into the ways in which affiliate models can grow, increasing the footprint of a particular threat while spreading the risk for a single threat actor,” noted researchers at Proofpoint.
“KovCoreG has been at the forefront of malvertising, exploit kit usage, and, as EKs declined, social engineering, while distributing lucrative malware through multiple vectors. Through their relatively long history, the group has adapted to the shifting popularity of scareware, “police locker” ransomware, exploit kits, and, for the last few years, taken advantage of the massive scale and automation of online advertising,” they added.