Working With Law Enforcement, Team Cuts Off Servers for Zombie Computers
By CHRISTOPHER S. STEWART and MERISSA MARR
Updated Dec. 5, 2013 8:55 p.m. ET
For months, investigators at Microsoft Corp. MSFT -0.03% hunkered down in front of their computer monitors, patiently stalking the shadowy figures behind what the company says is a major Web ad-fraud machine.
Then, on Thursday, they pounced. Armed with a court order and law enforcement help overseas, the team took steps to cut off communication links to European-based servers considered the mega-brain for an army of zombie computers known as ZeroAccess.
Criminals for years had used the ZeroAccess "botnet," which combines the power of more than 2 million hijacked computers—or bots—around the world, to fraudulently bill some $2.7 million a month from online advertisers, company investigators say.
Microsoft doesn't know precisely who is behind ZeroAccess, nicknamed after code in the malware, but suspects the operators are based in Eastern Europe. Last week the company filed a civil suit in federal court in Texas, where there is high concentration of bots. It got authorization to knock out connections between infected computers in the U.S. and the European-based servers linked to a core of 18 IP addresses. The unit said it also worked with the European law enforcement agency Europol to seize the computer servers, located in Latvia, Germany, Switzerland, Luxembourg, and the Netherlands.
The coordinated attack reflects increasingly aggressive efforts by businesses to police a largely unpoliced world, where hackers are scheming to grab some of the money flowing into digital ads.
Microsoft has good reason to finance its own digital detectives. It owns multiple targets for infection, including the Bing search engine; the Bing Ads exchange; and the Windows operating system, which runs on many of the Web-enabled computers around the world. Going after ZeroAccess helps defend its brand and reputation, the company said.
Microsoft's Digital Crimes Unit recently moved into a new 16,800 square-foot headquarters in Redmond, Wash., to wage its war. Touch-screen monitors detailing the workings of suspected cybercriminals blink on the walls. The team, which numbers more than 100, juggles around five malware cases at a time, among other digital crimes.
This year, digital-ad spending in the U.S. is expected to rise 14.9% to $42.3 billion, according to eMarketer. Security company Solve Media Inc. estimates that digital losses world-wide for display advertising alone could run as high as $10 billion this year.
As the industry has ballooned online, so has its complexity, creating a labyrinth of openings for criminals. The growing automation of stock-market-like advertising exchanges, where fast-paced trading in ad space between multiple parties is hard to track, has opened up a particular vulnerability in the ecosystem, security firms say. An explosion in websites and many layers of new middlemen has made it easy for fraudsters to hide out, the firms say.
At its most basic, digital ad fraud involves generating fake traffic. It works because marketers pay websites for advertising space, with the payments typically determined by the number of people who are supposedly clicking on the site and able to see the spot.
A popular scam involves gaming that basic business model. Hackers build websites and direct hijacked computers to them, to give the appearance of real Web traffic. Advertisers' pitches, drawn by the traffic, then appear on the fake sites where there is no real audience. Sometimes the advertisers pay directly and other times through middlemen.
ZeroAccess specialized in "click fraud," where it directed each of its almost two million bots to click on as many as 48 ads an hour—all day long, according to investigators. Another of its schemes was "search hijacking," where a user's search results from, say,GoogleGOOG +1.39% or Bing, were redirected to websites connected to the alleged criminals, according to the Microsoft civil complaint.
In one case, Microsoft investigators said ZeroAccess directed a hijacked computer through six suspicious-looking websites, with little useful content, before landing on something called search.lookcastle.com. There, an ad was delivered for the credit company creditrate.com—which the zombie computer clicked on. This all happened in the blink of eye, unbeknown to the computer owner. Had Microsoft not caught it, creditrate.com would have been billed.
"These aren't just kids operating in their parent's basement," said Steve Sullivan, vice president of advertising technology at the Interactive Advertising Bureau, or IAB, an industry group, speaking about digital ad fraud. "What we have here are organized crime groups in foreign countries targeting the ad world."
With fraud becoming more sophisticated, the ad industry has started to fight back. While some companies hire outside security experts, many of the major players in the industry have their own security forces. The ad exchange AppNexus more than doubled its investigations unit in the past year. Google Inc.'s DoubleClick, one of the industry's largest exchanges, employs a geek squad of more than 100 quants, engineers, and Ph.D.s just for security purposes.
Scott Spencer, DoubleClick's product management director, said some days his team kills off as much as 10% of the exchange's traffic, using filtering techniques. Last year, they rejected about a million suspicious websites from the exchange. "It's as if you have thousands of people pick-pocketing, all orchestrated by one mastermind," Mr. Spencer said of each fraud operation.
The IAB trade group this week published a playbook for the industry, giving advertisers and websites tips on how to avoid fraud. An IAB-backed initiative is meanwhile working on a system for buyers and sellers to share intelligence on alleged fraudsters by flagging them in real-time on the exchanges.
Authorities and Internet-security companies estimate that there are perhaps thousands of botnets. The more sophisticated bots act like humans, clicking on ads, playing videos and moving products into shopping carts.
Taking out a botnet isn't easy. Hackers build them with encryption and passwords and many times control them from far-flung locations, where law enforcement is more lax.
Microsoft said it has taken action against seven other botnets in the past three years. Over the summer, Microsoft teamed up with the FBI to attack the "Citadel" botnet that allegedly stole bank account information. It isn't clear who is behind the operations of Citadel, which is being investigated by law enforcement.
Throughout its investigation, the Microsoft unit examined ZeroAccess in its lab, setting up its own infected computers to study how the botnet worked. It kept the operation secret, said Richard Boscovich, assistant general counsel of the Microsoft investigative unit. "If the bad guys sense us monitoring them, they will change," he said, or "start cleaning" their digital trails.
Unlike many botnets, ZeroAccess didn't have a single central server controlling it. Instead, the operators had the ability to use any infected computer in the botnet to distribute commands to commit crimes, making it hard to kill off, Microsoft said.
In its civil suit, the company alleges ZeroAccess "profited unjustly." Notices of the suit were sent to the hosting companies where the 18 IP addresses are located, as well as to the registered owners of 49 domains, which are thought to part of a backup mechanism for the botnet, and were also taken offline. Microsoft demanded they respond, or risk a default judgment.
The big question is whether Microsoft's assault on ZeroAccess will have enduring impact. ZeroAccess came back to life once before after an attack on it. Earlier in the summer, the software company Symantec Corp. SYMC +0.87% disrupted the botnet, but it persisted, enlisting new computers into its zombie web of crime.
Eight hours into the operation on Thursday, Microsoft investigators said there were no signs that the operators behind ZeroAccess were responding to the shutdown action, and that they had seen a "dramatic" drop in the click fraud committed by the infected computers.
Having blocked ZeroAccess' servers, Microsoft wants to begin answering some of the mysteries behind the crime machine, including the identities of its backers. Details of the operation have been passed over to the FBI, Mr. Boscovich said.
"If we can't put the bad guys in jail," said Craig Schmidt, senior manager of investigations at the Microsoft unit, "at least we can take away some of their money."