The internet is a great place to be on an everyday basis, but it can also be an unsafe space, and that’s an issue that won’t go away anytime soon. Here’s the thing, a major online advertisement fraud operation known as “3ve” is currently under investigation by the by security agencies within the United States government. We understand the Technical Alert (TA), Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI) are all working together on this case.
3ve online ad fraud operation disrupted
Here’s a short description of what is 3ve and how it works:
“Online advertisers desire premium websites on which to publish their ads and large numbers of visitors to view those ads. 3ve created fake versions of both (websites and visitors) and funneled the advertising revenue to cybercriminals. 3ve obtained control over 1.7 million unique IPs by leveraging victim computers infected with Boaxxe/Miuref and Kovter malware, as well as Border Gateway Protocol-hijacked IP addresses.”
This is definitely a huge scam, and it could take a very long time to get things under control.
Let’s talk about Boaxxe/Miuref Malware
OK, so the Boaxxe malware is spread through email attachments and downloads known as drive-by. Now, the fraud scheme is usually located at an unknown data center where hundreds of websites are scouring the web to fake websites.
Whenever a web browser goes to one of these websites, they send a request that ultimately places one or more ads on the webpage.
What about the Kovter malware?
This one can also be spread through email and drive-by downloads. However, what separates it from Boaxxe is the fact that it runs the Chromium Embedded Framework (CEF) browser on infected machines, which is hidden by the way.
A server will then tell the web browser to visit a fake website, and in turn, advertisements are shown to the unsuspecting user.
How to detect & remove Boaxxe and Kovter from your computer
We understand that Boaxxee likes to leave executables on machines it infected. To locate these files, go to:
- %UserProfile%\AppData\Local\VirtualStore\lsass.aaa
- %UserProfile%\AppData\Local\Temp\<RANDOM>.exe
- %UserProfile%\AppData\Local\<Random eight-character folder name>\<original file name>.exe
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<Above path to executable>\
As for Kovter, it also likes to leave executables among other things in the following sections of your computer:
- %UserProfile\AppData\Local\Temp\<RANDOM> .exe/.bat
- %UserProfile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\<RANDOM>\<RANDOM FILENAME>.exe
- %UserProfile%\AppData\Local\<RANDOM>\<RANDOM>.lnk
- %UserProfile%\AppData\Local\<RANDOM>\<RANDOM>.bat
- %UserProfile%\AppDat\Local\<RANDOM>
- HKCU\SOFTWARE\<RANDOM>\<RANDOM>
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
To set things right, visit the locations mentioned above and delete all the executables from the computer.
The U.S Government stated that 3ve had managed to control over 1.7 million Internet Protocol (IP) addresses around the world, and none of us knew about it.
