Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime

Ukrainian National Charged in Malvertising, Botnet Scheme

Indictment Alleges Years-Long Scheme Infected Millions of PCs
Ukrainian National Charged in Malvertising, Botnet Scheme

A Ukrainian national is facing wire fraud and other charges stemming from his alleged involvement in a years-long malvertising scheme that infected millions of PCs around the world. Authorities allege that he created a botnet that other cybercriminals could rent out.

Oleksii Petrovich Ivanov, 31, was extradited from the Netherlands to the U.S. on Friday and remains in federal custody without bail, according to the U.S. Justice Department. He's charged with one count of conspiracy to commit wire fraud, four counts of wire fraud and one count of computer fraud, according to the indictment.

See Also: Webinar | Beyond Managed Security Services: SOC-as-a-Service for Financial Institutions

Ivanov was originally arrested by the U.S. Secret Service and Dutch authorities on Oct. 19, 2018, in the Netherlands. He remained there until Friday, when he was extradited to the U.S. and the indictment against him was unsealed.

Oleksii Petrovich Ivanov indictment

Ivanov faces a maximum penalty of 20 years in prison and a $250,000 fine related to the wire fraud-related charges, and up to five years in prison and a $250,000 fine for computer fraud.

Massive Malvertising Campaign

Between October 2013 and May 2018, Ivanov, along with several others, oversaw a massive malvertising campaign that directed millions of people to websites that hosted malicious ads or malware that would infect PCs and create a botnet, federal prosecutors allege in the indictment.

Over the course of five years, the victims of this scheme viewed malicious ads more than 100 million times, the indictment charges.

"This defendant engaged in an extraordinary and far-reaching scheme to infect and hack computers throughout the United States and the world," said Craig Carpenito, U.S. attorney for the District of New Jersey said. The case is being prosecuted in federal court in Newark, New Jersey.

To help keep the scheme going, Ivanov and the other unnamed accomplices allegedly used a series of phony names and fake companies to pose as legitimate companies to purchase online advertising, according to the indictment. The group even created a series of banner advertisements and websites that appeared to show legitimate products and services, the indictment alleges. These ad units, however, only pushed out malware, federal prosecutors charge.

Here's an example of how the alleged scheme worked: Between June and July 2014, Ivanov used the fake name "Dmitrij Zaleskis" and posed as the CEO of a fictitious company called "Veldex Limited" in order to buy online advertising from a U.S.-based company, according to the indictment.

Over the course of this campaign, Ivanov and his associates distributed malware and malicious ads that were viewed or accessed more than 17 million times by victims in only a few days, according to the indictment.

When the advertising company objected, saying that the ads were being flagged as malware, Ivanov denied any wrongdoing and persuaded the company to keep the campaigns running for months afterward, the indictment alleges.

This type of behavior continued for years, with Ivanov and others using a series of fake names and companies to hide what they were doing, prosecutors allege. If caught, Ivanov and his partners would drop one online advertising company and approach another with a new contract, they say.

Botnet Rental

With millions of computers around the world under their control, Ivanov and his co-conspirators were able to create a botnet, which they rented out to other cybercriminals, according to the indictment. But the indictment did not reveal how the botnet was used by others.

"Ivanov successfully infected or aided and abetted the infection of computers with malware that he controlled, including botnet malware that infected more than 100 devices in New Jersey," according to a statement from Carpenito.

The malicious advertising campaign was hosted on servers located in Sussex County, New Jersey, from the time the scheme started until federal authorities closed in down in 2018, authorities allege.

Malicious Ads Growing

Although Ivanov and his group allegedly infected millions of PCs throughout the world, some other malvertising campaigns have been even larger.

For example, in 2018, a schemed known as Zirconium served as many as a billion harmful ads across the web over the course of several years. Much like the operation that federal prosecutors allege Ivanov ran, Zirconium involved redirecting users to malicious sites or trying to get them to click using social engineering techniques (see: Online Advertising: Hackers' Little Helper).


About the Author

Scott Ferguson

Scott Ferguson

Managing Editor, News Desk

Ferguson is the managing editor for the news desk at Information Security Media Group. He's been covering the IT industry for more than 13 years. Before joining ISMG, Ferguson was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and DevOps.com.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.in, you agree to our use of cookies.