Malvertiser behind 100+ million bad ads indicted in the US

The Netherlands has extradited a Ukrainian man to the US to face charges of taking part in a multi-year, international malvertising campaign in which conspirators allegedly attempted to smear malware onto victims’ computers on more than 100 million occasions.

31-year-old Oleksii Petrovich Ivanov was indicted in a court in Newark, New Jersey, on Friday, according to the US Justice Department.

He’s facing one count of conspiracy to commit wire fraud, four counts of wire fraud, and one count of computer fraud. Dutch police have had Ivanov since his arrest on 19 October 2018, after an international investigation led by the US Secret Service in coordination with Dutch law enforcement. Indicted on 3 December 2018, Ivanov arrived in the US last Thursday and has been detained without bail.

A plate of bogus fed to online ad platforms

According to the indictment, between around October 2013 and on through May 2018, Ivanov and a group of unnamed accomplices allegedly launched online advertising campaigns that came off as legit but which tried to direct unsuspecting visitors toward malware, unwanted ads, and on to other computers that could install malware.

He and his co-conspirators allegedly hid behind fake online personas and phony companies to place ads on third-party sites, such as shopping, news, entertainment, or sports websites. Ivanov and his buddies allegedly told advertising companies they were distributing ads for real products and services and even cooked up false banners and websites showing purported ads. Those advertisements purchased by the ad companies were, however, used to push malware out onto the computers of whoever viewed or clicked on them.

The indictment gave this example of the malvertising campaigns: in June and July 2014, Ivanov allegedly posed as “Dmitrij Zaleskis,” CEO of a fake UK company called “Veldex Limited” to submit a series of malvertisements to an unnamed, US-based internet advertising company for distribution. Two of the campaigns, submitted on 15 July 2014, racked up about 17,328,129 impressions in a matter of days.

Hey, your ads are being flagged as malware, the ad company told Ivanov – repeatedly. He allegedly denied any wrongdoing and talked the company into continuing to run the malverts – for months.

After the malverts getting flagged by multiple online advertisers and advertising server platforms, Ivanov and others are alleged to have lied and denied that their ads were up to no good. When those ads were banned for being malicious, the conspirators allegedly simply switched to new online advertising companies, using new fake identities to buy more advertisements, as in, the malvert version of Whack-a-Mole.

The gang also allegedly used fictitious identities to register internet domains that hosted malvertising and launched advertising campaigns that were purportedly legitimate. Ivanov and co-conspirators also allegedly tried to sell access to botnets made up of the systems that they managed to infect.

Lots of victims

As we’ve seen before, even trusted, well-known websites can get polluted by malvertising. Over the course of one weekend in 2016, we saw the sites of the BBC, Newsweek, The New York Times and MSN all get infected.

The pain is spread all around: it hurts the victims whose computers are infected with malware after they visit what are normally boring, trusted sites, seeking what’s typically useful information; it hurts the sites that are affected; and it gouges a hole into what should be the profits of ad networks.

Recent big busts

Lately, US authorities have been cracking down on the ad fraudsters behind all that pain. In November, the US charged eight men from Russia and Kazakhstan with running a vast ad-fraud scheme that milked a total of $36 million from advertisers.

They raked in the money via two systems. One, dubbed Methbot by the researchers who discovered it in 2016, was a farm of 1,900 datacentre servers rented to host 5,000 spoofed websites that boasted bogus traffic coming in to equally fictitious sites made to look like real ones, including CNN, the New York Times, CBS Sports, and Fox News. The suspects allegedly made an estimated $7 million from what was basically a computer program talking to itself.

That ill-gotten gain was multiplied about four times by the other system, called 3ve, a hugely profitable clickfraud botnet comprising 1.7 million computers infected with the Kovter malware that ran between December 2015 and October 2018. By generating fake traffic to ads, the gang allegedly pulled in an estimated $29 million with 3ve.