The year 2018 is stacking up to be the year of cybercrime prosecution, with the U.S. Department of Justice (DoJ) flexing its muscle and truly demonstrating the “long arm of the law.” The number of indictments, extraditions, trials and convictions give us a sense that attorney generals across the United States have been given hunting licenses for cybercriminals.
One recent example is the takedown of two separate cybercriminal entities engaged in digital advertising fraud, which netted the perpetrators tens of millions of dollars. The eight indicted individuals were from the Russian Federation, Ukraine and Kazakhstan. Three of the eight indicted have been arrested outside the United States:
- Sergey Ovsyannikov was arrested in Malaysia.
- Alexsandr Zhukov was arrested in Bulgaria.
- Yevgeniy Timchenko was arrested in Estonia.
The other five remain at large.
The case of these two organizations are interesting from several perspectives. The art of the crime is certainly of interest and is detailed in the criminal indictment and resulted in a US-CERT Alert TA18-331A “Major Online Ad Fraud Operation.”
Crime Pays Well
All told, more than 1.7 million computers were infected and used for the adware scheme. The botnets netted the criminals more than US$29 million via the computers of ordinary users.
The second scheme involved renting 1,900 computer servers housed in a Dallas computer center from which the criminals leased more than 650,000 internet protocol (IP) addresses and then configured their hardware and IP addresses to resemble “human internet users.” Additionally, they spoofed more than 5,000 domains. Once configured, the criminals pushed the button and the machines emulated the actions of humans, creating billions of fraudulent ad views. They netted more than US$7 million.
Public-Private Partnership Exemplified
Perhaps the more interesting aspect of this indictment and neutralization of the cybercrime infrastructure is the extent of the global public-private collaboration. The DoJ’s press release concerning the arrests and dismantling highlighted this cooperation and it is impressive.
White Ops and Google were highlighted as being instrumental in both the investigation and the botnet takedown. Proofpoint Inc., Fox IT B.V., Microsoft Corp., ESET, Trend Micro Inc., Symantec Corp., CenturyLink Inc., F-Secure Corp., Malwarebytes, MediaMath, the National Cyber-Forensics and Training Alliance and the Shadowserver Foundation all were given a shoutout for their part in the takedown of the botnet.
It’s impressive enough to have the number of cybersecurity companies and organizations involved working together toward a common cause: neutralizing the cybercriminal. It gets even more impressive when you include the number of countries and law enforcement organizations involved. Malaysia, Bulgaria, Estonia, Germany, The Netherlands, Switzerland, France, Poland and the United Kingdom all had a hand; the liaison of their governments’ law enforcement and federal prosecutors falls under the remit of the FBI’s Legal Attaché offices.
Google shared how it worked with White Ops and have availed to the community a white paper that discusses how the ad fraud operation was identified and the technical work that took place to identify the criminal patterns. The white paper, “The Hunt for 3ve,” is worth a read.
White Ops and Google demonstrated the value of collaboration in the cybersecurity world when taking on the global criminal entities.
The message being sent is the United States will pursue, seek the arrest and move to extradite criminals from abroad.