Aleksandr Zhukov and his co-conspirators executed one of the largest ad fraud operations the world has ever seen.
Earlier this year, the self-described “king of fraud” stood trial in a federal court in Brooklyn, New York. Aleksandr Zhukov was said to have defrauded the advertising industry of upwards of $7 million dollars, in what has been described as one of the most sophisticated ad fraud campaigns to date. Although he pled not guilty, unlike his co-conspirators, Zhukov was ultimately convicted of four charges related to wire fraud and money laundering, and now awaits sentencing. According to security company Human, which played a central role in bringing Zhukov to justice, the verdict sets an important precedent that will change the economics of fraud and go some way to discouraging future campaigns. More interesting than the verdict, though, are the techniques Zhukov and his team abused to game the digital advertising system. In short, he commandeered data center infrastructure and infected consumer devices to create armies of bots capable of generating billions of fake ad views per day. “This internet that we love is fueled by slices of human attention,” Tamer Hassan, Human CEO, told TechRadar Pro. “What’s crazy is that the market is flooded with fake human attention and this has changed the economics of the web.” “We see botnets designed to engage with ads, listen to music, watch TV and manipulate public sentiment. It all comes down to one question: if you can look like a million humans, what can you do?” Botnets come in all shapes and sizes and can be used for various kinds of cybercrime, from DDoS attacks, spam and data theft to sniping limited stock on ecommerce websites. Since 2016, Zhukov has assembled two different botnets, primarily for the purposes of defrauding members of the online advertising ecosystem: Methbot and 3ve (pronounced “Eve”). To build the former, his group established more than 250,000 URLs under roughly 6,000 spoofed domains, mimicking the websites of major publishers to trick the algorithms that determine which ads are best placed where. Using data center infrastructure and IP addresses acquired with forged registration data, the cybercriminals then launched massive volumes of fake traffic at the ads, raking in pay-per-click revenue. At its peak, Methbot was capable of simulating 300 million video ad views per day. 3ve was even more sprawling and complex, powered by both data center infrastructure and 1.7 million Windows devices infected via malvertising. This second botnet was capable of generating 12 billion fake ad requests per day across 10,000 spoofed domains, and evaded detection by imitating human behaviors such as mouse movement and clicks.
