Picture this: a team of white hat hackers joins forces and takes down one of the largest and most sophisticated digital fraud operations in history. Sounds like something out of a Hollywood screenplay, no? The thing is, the team at White Ops did that just last year, when they partnered with teams at Google to bring a program called 3ve to its knees.
3ve (pronounced “Eve”) reportedly infected at least 1.7 million computers at any given time during its operation, and generated between 3 and 12 million requests per day (per day!) to sell fraudulent advertising. Between December 2015 and October 2018, the program was lining the pockets of its operators with more than $29 million — until the White Ops team saw the bot shut down in its tracks and brought criminal charges against its creators.
Built In NYC got the inside scoop from Dimitris Theodorakis, a tech manager at White Ops on how White Ops collaborated with Google and law enforcement agencies to form a plan to take down one of the biggest bots in history.
How did White Ops come together with Google to tackle this threat? What did the development of that working partnership look like?
White Ops and Google independently discovered 3ve in 2017 as part of their respective efforts to detect emerging bot activity. [Within a few months], what initially looked like a small threat grew into a massive ad fraud operation. That’s when both White Ops and Google realized that a more radical approach was required to address it.
At White Ops, we’re playing the long game when it comes to ad fraud and we’ve come to realize that it’s not sufficient if we only protect our customers against adversaries like 3ve. A single victim across the entire ecosystem is enough to continue funding operations [like 3ve] with millions of dollars; That’s the primary reason that White Ops and Google joined forces to tackle this threat. When you have such a powerful shared vision, it’s fairly easy to also build a strong partnership. I was personally lucky enough to experience this project while both at Google (as a product manager) and now at White Ops (as a detection lead).
For several days, the whole team was ecstatic about the outcome — but at the same time there was also a sense of humility and readiness to tackle the next challenge.”
When it comes to a project of this magnitude, what does the working structure look like?
More than 15 entities came together — including antivirus companies, ad platforms, ISPs and law enforcement agencies — to take down the different modules of the 3ve operation and protect advertisers from its fraudulent activity. Each company had its own unique role, with White Ops, Google and law enforcement being the orchestrators of the overall effort.
The White Ops and Google collaboration was a massive project in itself. I would estimate that more than 30 people were involved in varying degrees across the two companies, including software engineers, security researchers, threat analysts, project managers, product managers, data scientists, public relations and legal. The core research team would meet on a weekly basis to share findings, indicators of compromise, and coordinate the work for the following week.
How does your tech team protect their own information while taking on such criminal cyberthreats?
As you might guess, we’re pretty obsessed with security at White Ops, and that obsession is apparent in the way we store and share information. It also guides our choice of tools and all the relevant processes we’ve established.
On a lighter note, how does the White Ops team celebrate such a huge win for the company, and cybersecurity at large?
The 3ve takedown was a very special moment for all of us at White Ops. It was the end of a long journey that lasted almost two years. For several days, the whole team was ecstatic about the outcome — but at the same time there was also a sense of humility and readiness to tackle the next challenge.
Can you tell us about what White Ops has planned for 2019? What exciting projects and developments are in the works?
Our mission is to follow botnet operators and identify the next attack vector they’ll try to exploit. That’s where we’re putting all of our focus and energy in 2019. Among other things, this includes mobile-based abuse scenarios and emerging environments such as connected TVs.
