Ad fraud botnet 3ve shut down after infecting 1.7 million PCs

A massive team of security companies and federal agencies worked together to shut down an enormous click fraud operation. Although 3ve, pronounced Eve, started as a small botnet, by the time it was sinkholed, it was using 1.7 million infected computers to falsify billions of ad views, which resulted in businesses paying over $29 million for ads that no real human internet users ever saw.

A Google-released whitepaper (pdf) revealed that “3ve generated between 3 billion and 12 billion or more daily ad bid requests at its peak.” When announcing the unsealing of a 13-count indictment against eight defendants, the Department of Justice said the FBI took control of 31 domains and took information from 89 servers that were part of the botnet infrastructure engaged in digital advertising fraud activity.

US-CERT published a technical alert about the malware associated with 3ve, Boaxxe/Miuref — dubbed Methbot in the WhiteOps paper — and Kovter malware, as well as potential solutions proposed by the FBI and Department of Homeland Security (DHS). If you believe you were a victim of the malware or hijacked IPs, you are urged to submit a complaint to www.ic3.gov using the hashtag of #3ve in your complaint.

Other cybersecurity news

FBI made fake FedEx site and deployed NIT to track down cyber crooks

The FBI created a fake FedEx website and deployed a Network Investigative Technique (NIT) after a failed attempt to learn the real IP address of cyber criminals. The fake FedEx page, according to Motherboard, would deliver the message Access Denied when the crooks tried to access it from behind proxies. The FBI then booby-trapped a Microsoft Word document that required the target to exit “protected mode” in order for an embedded image to connect to an FBI server to reveal where the criminal was located.

Popular Google Play apps found to be committing ad fraud

Researchers from Trend Micro and Kochava warned of bad apps on Google Play. Kochava said, “Eight apps with a total of more than 2 billion downloads in the Google Play store have been exploiting user permissions as part of an ad fraud scheme that could have stolen millions of dollars.” Trend Micro identified seven Android apps in Google Play with FraudBot instances.

Massive iOS malvertising campaign hijacked 300 million iOS browser sessions in 48 hours

Researchers at Confiant revealed a monster of an iOS malvertising campaign that is estimated to have racked up 300 million impressions in a 48-hour period. The targeted iOS devices, mostly in the U.S., were forcefully redirected to “fake ‘you’ve won a gift card’ or adult content landing pages.” The pages usually attempted to phish visitor data for affiliate marketing-related fraud or to steal personal identification data. “The session is hijacked without user interaction,” the researchers said.

Third-party biller breach exposes 2.65 million Atrium Health patients

Thanks to a dreaded third-party, a vendor used for billing services, hackers managed to get hold of the personal information of 2.65 million patients. AccuDoc Solutions, the third-party vendor, notified Atrium Health that an unauthorized third party accessed its databases. Atrium Health said the 2.65 million compromised patient records included “names, addresses, dates of birth, insurance policy information, medical record numbers, invoice numbers, account balances and dates of services. Atrium estimates about 700,000 of the exposed records may have also included Social Security numbers.”

Microsoft warns of ‘inadvertently disclosed digital certificates’ that could allow man-in-the-middle attacks

Microsoft issued a security advisory warning of a fairly significant oops — that two applications, Sennheiser HeadSetup and HeadSetup Pro, accidentally installed two root certificates on users’ PCs, thus allowing man-in-the-middle attacks. How very Superfish.

The advisory notified customers of “two inadvertently disclosed digital certificates that could be used to spoof content and to provide an update to the Certificate Trust List (CTL) to remove user-mode trust for the certificates. The disclosed root certificates were unrestricted and could be used to issue additional certificates for uses such as code signing and server authentication.”

Secorvo Security Consulting published a vulnerability report (pdf) and proof-of-concept code showing how easily an attacker could exploit it to extract private keys.

Microsoft updated the Certificate Trust List to remove user-mode for the certificates. Vulnerable customers with the software were advised to install an updated version of the HeadSetup and HeadSetup Pro applications.