Three years ago, a significant issue was brought to the attention of Google’s company attorneys by several security engineers. The security team discovered that the search engine giant was unintentionally contributing to the spread of a form of malware known as Glupteba.
The malware had infected over a million Windows PCs, converting them into tools for mining cryptocurrency and monitoring users. The hackers were moving toward infecting even more computers when they started to use Google Cloud tools improperly, bought Google advertisements to entice users, and took over Google accounts.
Tech giants such as Google have long had strategies in place for destroying botnets like Glupteba. Together, they coordinate a massive takedown operation by contacting other companies and various American authorities. It happens that the police bring criminal charges. However, this time, Google’s legal counsel suggested a course of action that the business hadn’t taken in a long time: monetary litigation against the hackers.
Google’s new headache
In April 2024, Gmail and YouTube users turned to Google support forums after hackers took over their accounts, bypassing two-factor authentication security and then locking the users out. Then in July, details emerged about a “massive ad fraud operation” that leveraged hundreds of apps on the Google Play Store to perform a host of nefarious activities.
The campaign has been codenamed Konfety, the Russian word for Candy, owing to its abuse of a mobile advertising software development kit (SDK) associated with a Russia-based ad network called CaramelAds.
While the decoy apps, totalling over 250 in number, got distributed via the Google Play Store, their respective “evil twins” were disseminated through a maladvertising campaign designed to facilitate ad fraud, monitor web searches, install browser extensions, and sideload APK files code onto users’ devices.
The evil twin was also masquerading as the decoy twin by spoofing the latter’s app ID and advertising publisher IDs for rendering ads. Both the decoy and evil twin sets of apps were reportedly operating on the same infrastructure, allowing the threat actors to exponentially scale their operations as required.
Crypto stealers are now exploiting Google ads to commit heinous crimes like sending phishing links to carry out malware attacks. These malicious programmes are illegally transferring cryptocurrency from victims’ wallets using various techniques, including campaign launches, deceptive websites, wallet connections, smart contract interaction, asset transfer, and obscuration.
Anti-scam solutions provider Scam Sniffer has discovered a series of crypto drainer malware attacks stealing approximately $59 million from 63,210 victims by embedding a wallet drainer dubbed MS Drainer in Google search and X (formally Twitter) ads. The attack campaign is leveraging malicious ads on Google and X to redirect users to phishing pages.
How is Google responding?
Google has filed at least eight cases against various hackers and scammers, the first of which would be this one against two Russian men and a dozen unidentified people who are allegedly behind Glupteba. The strategy, which Google refers to as affirmative litigation, aims to deter potential scammers and raise public awareness of them. For the first time, Google is now discussing this tactic.
According to leaders of Google’s legal and security teams, suing people has proven to be successful. Despite forcing hundreds of businesses or websites to close, Google has won almost all of the more than $2 million it has won through legal means and hasn’t lost a single case to date. Although the awards may not seem significant to Google and its $2 trillion parent company Alphabet, they could have dire consequences for the defendants.
Affirmative action has been taken by several “Big Tech” companies, albeit not always by that name and using different tactics. Since 2008, Microsoft has brought over twenty lawsuits, primarily aimed at getting court approval to take down botnets and other hacking tools. Since 2018, Amazon has filed at least 42 complaints regarding counterfeit goods, 38 for fraudulent reviews, three for copyright infringement, and, most recently, two for false product returns. Amazon has been a vocal complainant since 2018. The federal court in western Washington assigned three magistrate judges to concentrate on Amazon’s counterfeit cases due to the company’s volume of filings.
Since 2019, Meta has brought at least seven cases involving data theft or counterfeiting. Of those cases, four have resulted in settlements or default judgments, one of which saw Meta win close to $300,000 in damages. Similar to Meta, Apple is suing NSO Group, an Israeli spyware developer, for alleged acts of hacking.
A few lawyers who have researched how the private sector applies litigation to uphold the law are dubious about the plaintiffs’ chances of success. Professor of law at Rutgers University David Noll, who is writing a book called Vigilante Nation about state-sponsored private enforcement, says it’s hard to think businesses could handle the number of cases required to drastically reduce abuse.
According to Noll, the biggest risk is that Google and other tech companies might be flooding the legal system with cases that, while they may garner some positive press, ultimately accomplish little to improve internet safety compared to what the companies could accomplish by investing in more effective anti-fraud measures.
Nevertheless, all six of the outside legal experts who spoke with WIRED agreed that, on the whole, Google should be commended for bolstering the efforts of the underfunded government agencies that are fighting to stop online abuse.
According to former prosecutors, it’s a low-risk initiative for the tech giant, costing an estimated hundreds of thousands of dollars per case.
Marketing scams
According to DeLaine Prado, Google has thought about taking legal action against users who misuse its platforms and intellectual property since its inception. However, the initial case that she and other Google executives filed was in 2015.
Google accused the California marketing firm Local Lighthouse of using robocalls to trick small businesses into paying to raise their search engine ranking. Google claimed deceptive advertising, unfair competition, and trademark infringement. In exchange for a settlement, Lighthouse terminated the troublesome calls.
Since then, Google has brought complaints against five allegedly dishonest marketers; thus far, settlements have been reached in three of them. A Los Angeles man who had allegedly posted 14,000 fake reviews on Google Maps agreed to stop, and a Florida company and its owners agreed to pay Google $850,000.
The third deal’s terms, involving an Illinois company, were not revealed in court documents; however, according to Google spokesperson Jose Castaneda, Google received payment in the seven figures.
Castaneda claimed that Google has given away all of the money it has raised to organisations like the National Consumers League, the Partnership to End Addiction, the Cybercrime Support Network, the Better Business Bureau Institute, and several US chambers of commerce. Individuals submitting false copyright complaints to Google in an attempt to have content removed from the company’s services have been the focus of another type of case. Google accused a man in Omaha, Nebraska, of making up an ownership claim.
Google was successful in 2022 in obtaining a default judgment against a Cameroonian who had failed to reply to accusations that he was using Gmail to con people into paying for phoney puppies, one of which was a $700 basset hound.
Google claims that following the lawsuit, the scammer’s complaints decreased. However, experts in law claim that the four cases Google filed against purported computer hackers are the most intriguing examples of affirmative action. Following months of Glupteba research, the suits were revealed.
Google security engineers came to the conclusion that it would be challenging to eradicate Glupteba by taking down related servers as is customary. Because the hackers had created a blockchain-based backup system, Glupteba was able to come back to life and continue robbing people.
Additionally, Google can file lawsuits and has a powerful voice. Chun and other lawyers warned their superiors that the hackers could use the lawsuit to take advantage of Google’s investigation techniques and strengthen Glupteba’s resistance and evasion. DeLaine Prado, who has the last say in lawsuits, finally gave her approval. Chun claims that the complaint was well received by his former government colleagues.
Following their association of websites linked to the virus with Google accounts in their names, Google filed a lawsuit against Dmitry Starovikov and Alexander Filippov, claiming that they were the masterminds behind Glupteba, based in Russia. The search giant claimed that the two (as well as unidentified co-conspirators) had broken the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, and the Racketeer Influenced and Corrupt Organisations Act (RICO).
A trademark law infringement was also claimed in the lawsuit due to Glupteba’s concealment within a program that promised to download YouTube videos. Google stated that it suffered significant harm because it never received payment for the advertisements sold to the hackers, who allegedly used fraudulent credit cards. Additionally, the experiences of users with Google services were subpar.
According to court documents, Starovikov and Filippov only found out about the lawsuit from friends, at which point they made the decision to have Igor Litvak, a lawyer in New York, represent them. At first, the defendants claimed that their projects had not been directed towards the United States market and provided innocent justifications for their Glupteba-related software. They allegedly demanded $1 million from Google at one point and $10 million from them at another in exchange for the keys to shut down the botnet.
In the end, they refuted the accusations made against them. After a protracted legal battle over the defendants’ ability to obtain Russian passports, appear in court in Europe, and surrender work files, Litvak and Google’s lawyers exchanged accusations of dishonesty. US District Judge Denise Cote took Google’s side in 2022.
In a 48-page decision, she concluded that to “avoid liability and further profit” from Glupteba, the defendants “intentionally withheld information” and “misrepresented their willingness and ability” to disclose it.
Cote stated, “This record is sufficient to find a wilful attempt to defraud the Court.”
Litvak was sanctioned by Cote and made a settlement agreement to pay Google $250,000 through 2027. Additionally, the jury mandated that Starovikov and Filippov pay Google’s legal fees of almost $526,000. According to Castaneda, Google has been paid by all three.
According to Litvak, the judge may not have trusted certain people because of Russia’s tense relations with the United States. Litvak still disagrees with the judge’s conclusions. As per Google’s Castaneda, the case had the desired outcome: the Russian hackers ceased their misuse of Google services and closed their marketplace for compromised logins, and the proportion of computers infected with Glupteba decreased by 78%.
Not every case has outcomes that can be measured. The accused in the other three Google hacking cases have not answered back to the allegations. As a result, Google was awarded a default judgment against three people in Pakistan last year who were allegedly responsible for infecting over 672,000 computers through the use of malware that appeared to be Google Chrome downloads.
The remaining cases, one in which foreign app developers are being sued for violating YouTube Community Guidelines after they are allegedly accused of stealing money through fraudulent investment apps, are also anticipated to be settled without opposition.
According to Royal Hansen, Google’s vice president for privacy, safety, and security engineering, lawsuits that end in defendants making no alimony or consenting to cease the alleged misuse can nevertheless complicate the lives of those who are accused of violating the law.
Google leverages court decisions to persuade companies, such as banks and cloud providers, to cease doing business with the defendants. As a result of being exposed, those involved may be reluctant to collaborate with other hackers. Additionally, defendants may become more cautious when entering different countries, especially when facing heightened scrutiny from local authorities.
More to come
In order to discuss possible lawsuits, Google’s small litigation advance team now meets with other departments twice a week. They consider whether a case might highlight a new danger or provide Google’s policies more teeth by creating a useful precedent.
Adopting an affirmative litigation strategy, Google’s sibling company Waymo recently filed a lawsuit against two individuals for allegedly smashing and slamming its self-driving taxis.
As for Microsoft, assistant general counsel of the business’s Digital Crimes Unit Steven Masada says the company is considering filing lawsuits against individuals who use generative AI technology for fraudulent or malevolent intent.