by BY MAUREEN SHELLY November 11, 2011 The Daily Telegraph
IN A worldwide operation codenamed “Ghost Click” the US Federal Bureau of Investigation has closed an internet fraud ring that infected more than 4 million computers including “tens of thousands of Australian computers”‘ it can be revealed.
In a statement, the assistant director in charge of the New York station of the FBI Janice Fedarcyk said: “With the flip of a switch, the FBI and our partners dismantled the Rove criminal enterprise.
“Thanks to the collective effort across the US and in Estonia, six leaders of the criminal enterprise have been arrested and numerous servers operated by the criminal organization have been disabled.”
The fraud involved replacing legitimate domain name servers (DNS) with rogue DNS servers so that computer users would be taken to rogue sites when clicking on legitimate advertisements on trusted websites.
Clicking on the botnet’s ad would often download malware to the user’s computer, in addition to taking them to sites selling fake Louis Vuitton, replica watches and fraudulent anti-virus software.
Most computer users would have been unaware of the botnet or the network of infected computers under the control of the Estonian group.
Computer security firm Trend Micro referred the matter to law enforcement agencies in 2009 and it has taken until now to complete the complex investigation and shut down the fraud.
Trend Micro’s head of internet security intelligence, advanced threats research Paul Ferguson told thetelegraph.com.au that “most of victims wouldn’t know they were affected at all”.
“Mostly what they (the Rove criminal enterprise group) were doing was ad replacements.
“They had 14,000 or 15,000 domains that were doing ads and they substituted other ads that they were trying to monetise.”
Both personal computers using Windows operating systems and Apple platforms were infected, Mr Ferguson said.
The Australian Federal Police was unable to comment on the AFP’s involvement prior to publication. CERT Australia (Australia’s national computer emergency response team) declined to comment and thetelegraph.com.au understands that it is unusual for the agency to comment on operational matters.
Mr Ferguson said: “If you went to The Sydney Morning Herald site and they had an embedded ad for Toyota, then they (Estonian fraud ring) were monetising those ads.
“That was primary monetisation scheme.”
Mr Ferguson was using The Sydney Morning Herald as an example and not necessarily implying that the newspaper’s site was one of those infected.
“If you tried to go to iTunes it would send you a bogus iTunes website and it would download additional malware.”
Mr Ferguson said that the scam “changed quite a bit during the five years”.
The FBI held a press conference conference in New York on Thursday Sydney time to make the announcements of the arrests.
Computer users can check with the FBI if their computer has been infected with the botware via this link: