FBI Busts Massive Click-Fraud Cyber-Ring That Netted $14 Million

Law enforcement officials have arrested six individuals responsible for infecting over 4 million computers in a sophisticated clickjacking scam.

The FBI and its international partners have charged six individuals with conducting a sophisticated click-fraud scheme that netted them millions of dollars, the federal agency said.

The cyber-ring infected about 4 million computers in 100 countries with malware and pocketed at least $14 million by manipulating online advertisements, the FBI said Nov. 9. Six Estonian nationals were arrested in Estonia on Nov. 8. The seventh member of the gang, a Russian national, remains at large, according to the FBI.

The United States is trying to extradite the criminals to stand trial in New York, the FBI said. The U.S. Attorney's office has charged the defendants with five counts of wire and computer intrusion crimes. One defendant has also been charged with 22 counts of money laundering.

The indictment, which was unsealed in New York on Nov. 8, "describes an intricate international conspiracy conceived and carried out by sophisticated criminals," Janice Fedarcyk, assistant director in charge of the FBI New York office, said in a statement.

In "Operation Ghost Click," the FBI spent two years tracking down the gang that was using DNSChanger, malware that manipulated online ads through clickjacking, which is a technique that allows fraudsters to trick Web users to go to Websites that they control or to click on ads that generate revenue for the fraud perpetrators.

Authorities have seized defendants' computers, froze bank accounts, and seized hard drives from more than 100 rogue servers in data centers located in New York and Chicago that were suspected of being part of the command and control infrastructure.

At least 500,000 computers that had been infected were located in the United States, including systems belonging to NASA and other government agencies, as well as education institutions, nonprofit organizations, enterprises and home users.

The DNSChanger malware targeted the Domain Name System (DNS), a phone-book style directory system that translates domain names for Websites the user knows, such as Apple.com, into actual IP addresses belonging to the servers. Thanks to DNS, users don't have to know the exact numeric address for each server. However, DNSChanger could change the DNS settings on compromised machines to point to malicious DNS servers instead of the one belonging to the network or the Internet service provider, according to the FBI.

When surfing the Web, users are directed by the malicious DNS servers to different servers. For example, if a user were trying to get to iTunes, the rogue server would send the user to a different server and try to sell Apple products. The defendants collected payments any time a user clicked on an advertisement on these fake sites, which mimicked Netflix, the Internal Revenue Service, ESPN, Amazon.com and others, the indictment said.

In another form of the campaign, the criminals hijacked search results and replaced advertisements on Websites, Paul Ferguson, senior threat researcher at Trend Micro, told eWEEK. Instead of loading ads from DoubleClick or other third-party advertising networks on the page the user had landed on, the malicious DNS servers served up ads from a network under their control, Ferguson said. As far as the user was concerned, the page was legitimate; it was just the ads that had been replaced, he said.

"They victimized legitimate Website operators and advertisers who missed out on income through click hijacking and ad replacement fraud," the FBI's Fedarcyk said.

There were several variations of the malware, according to Ferguson. The gang's purpose was not to push more malware or steal information, but to monetize clickthroughs by stealing "traffic from legitimate advertisers," Ferguson said.

The FBI has replaced the rogue DNS servers with legitimate servers, but users remain infected with the DNSChanger malware. The FBI has put up a site where users can check the DNS settings on their computers to figure out if they have been infected. Removing the malware itself is not difficult, but the challenge lies in identifying all the victims, he said, calling the effort "ongoing remediation."

The legitimate servers will log connections and keep track of infected computers hitting the servers so that the FBI can provide the information to ISPs, who will notify users and help clean up the infection. Since DNS settings generally don't expire for 120 days, the ISPs will be busy trying to clean up infected users over the next four months, Ferguson said.