Law enforcement officials have arrested six individuals responsible for infecting over 4 million computers in a sophisticated clickjacking scam.
The FBI and its international partners
have charged six individuals with conducting a sophisticated click-fraud scheme
that netted them millions of dollars, the federal agency said.
The cyber-ring infected about 4 million
computers in 100 countries with malware and pocketed at least $14 million by
manipulating online advertisements, the FBI said Nov. 9. Six Estonian nationals
were arrested in Estonia on Nov. 8. The seventh member of the gang, a Russian
national, remains at large, according to the FBI.
The United States is trying to
extradite the criminals to stand trial in New York, the FBI said. The U.S.
Attorney's office has charged the defendants with five counts of wire and
computer intrusion crimes. One defendant has also been charged with 22 counts of
The indictment, which was unsealed in
New York on Nov. 8, "describes an intricate international conspiracy
conceived and carried out by sophisticated criminals," Janice Fedarcyk,
assistant director in charge of the FBI New York office, said in a statement.
In "Operation Ghost Click
," the FBI spent two
years tracking down the gang that was using DNSChanger, malware that
manipulated online ads through clickjacking, which is a technique that allows
fraudsters to trick Web users to go to Websites that they control or to click
on ads that generate revenue for the fraud perpetrators.
Authorities have seized defendants'
computers, froze bank accounts, and seized hard drives from more than 100 rogue
servers in data centers located in New York and Chicago that were suspected of
being part of the command and control infrastructure.
At least 500,000 computers that had
been infected were located in the United States, including systems belonging to
NASA and other government agencies, as well as education institutions,
nonprofit organizations, enterprises and home users.
The DNSChanger malware
targeted the Domain Name
System (DNS), a phone-book style directory system that translates domain names
for Websites the user knows, such as Apple.com, into actual IP addresses
belonging to the servers. Thanks to DNS, users don't have to know the exact
numeric address for each server. However, DNSChanger could change the DNS
settings on compromised machines to point to malicious DNS servers instead of
the one belonging to the network or the Internet service provider, according to
When surfing the Web, users are directed
by the malicious DNS servers to different servers. For example, if a user were
trying to get to iTunes, the rogue server would send the user to a different
server and try to sell Apple products. The defendants collected payments any
time a user clicked on an advertisement on these fake sites, which mimicked
Netflix, the Internal Revenue Service, ESPN, Amazon.com and others, the
In another form of the campaign, the
criminals hijacked search results and replaced advertisements on Websites, Paul
Ferguson, senior threat researcher at Trend Micro
, told eWEEK
. Instead of loading ads from DoubleClick or other third-party
advertising networks on the page the user had landed on, the malicious DNS
servers served up ads from a network under their control, Ferguson said. As far
as the user was concerned, the page was legitimate; it was just the ads that
had been replaced, he said.
"They victimized legitimate Website
operators and advertisers who missed out on income through click hijacking and
ad replacement fraud," the FBI's Fedarcyk said.
There were several variations of the
malware, according to Ferguson. The gang's purpose was not to push more malware
or steal information, but to monetize clickthroughs by stealing "traffic
from legitimate advertisers," Ferguson said.
The FBI has replaced the rogue DNS
servers with legitimate servers, but users remain infected with the DNSChanger
malware. The FBI has put up a site where users can check the DNS settings
on their computers to
figure out if they have been infected. Removing the malware itself is not
difficult, but the challenge lies in identifying all the victims, he said,
calling the effort "ongoing remediation."
The legitimate servers will log
connections and keep track of infected computers hitting the servers so that
the FBI can provide the information to ISPs, who will notify users and help
clean up the infection. Since DNS settings generally don't expire for 120 days,
the ISPs will be busy trying to clean up infected users over the next four
months, Ferguson said.