FBI, Operation Ghost Click

The FBI’s ‘Operation Ghost Click’ took down an international cybercrime ring. Credit: FBI

By Matt Liebowitz, SecurityNewsDaily Staff Writer 10th Nov 2011

The FBI has announced the dismantling of an Internet fraud ring that had infected more than 4 million computers in 100 countries with malware allowing their Web traffic to be redirected to other sites.

The FBI announced yesterday (Nov. 9) that a two-year investigation, Operation Ghost Click, had resulted in the arrest of six Estonians, all between the ages of 26 and 33, in their homeland. The U.S. Attorney’s Office will seek their extradition, the FBI said in its press release. One other suspect, a 31-year-old Russian, was still at large.

At least 500,000 Americans were among the computer users attacked with sophisticated malware that enabled the scammers to hijack and redirect Web traffic, a tactic called “DNS poisoning.”

By infecting computers with a piece of malware called DNSChanger, the cybercriminals generated $14 million in income from fraudulent ad revenue, according to U.S. officials.

“These defendants gave new meaning to the term ‘false advertising,'” Manhattan U.S. Attorney Preet Bharara said. “As alleged, they were international cyberbandits who hijacked millions of computers at will and rerouted them to Internet websites and advertisements of their own choosing — collecting millions in undeserved commissions for all the hijacked computer clicks and Internet ads they fraudulently engineered.”

The mechanics of the scam were sophisticated and, like many cybercrime campaigns, long went unnoticed.

The indictment alleges that from 2007 until last month, the cybercrime gang operated a number of companies that “masqueraded as legitimate publisher networks in the Internet advertising industry.” Ad agencies agreed to pay the companies based on the number of clicks certain Web pages received, or by the number of times an ad was displayed on a website.

With those business agreements in place, the fraudsters launched DNSChanger, which routed Web traffic through phony Domain Name System (DNS) servers, according to the indictment. So when a Web surfer typed in “Google.com” or “iTunes.com” on one of the infected computers, he or she would be taken instead to a third-party site hosted on the scammers’ server, and all the ad revenue from his or her clicks — and the clicks on the 4 million other infected computers  — would go straight to the scammers.

Some of the infected computers belonged to U.S. government agencies such as NASA and to educational institutions.

The indictment alleges that the criminal gang hijacked traffic meant for the Internal Revenue Service and sent it to the website for the tax-return firm H&R Block. Traffic to Netflix was redirected to an unrelated business called BudgetMatch. Ads were also manipulated; when infected systems visited the Wall Street Journal home page, the featured ad for the American Express Plum Card was replaced with an ad for Fashion Girl LA.

Similarly, a Dr. Pepper Ten advertisement on ESPN.com was changed to an ad for a time share business.

Furthermore, computers infected with DNSChanger were left vulnerable to whatever malware the criminals wanted to hit them with, and the malware prevented them from receiving anti-virus or operating system updates. (A similar DNS poisoning affecting “several major websites” is going on right now in Brazil, the security firm Kaspersky Lab noted.)

“The harm inflicted by the defendants was not merely a matter of reaping illegitimate income,” Janice Fedarcyk, FBI assistant director in charge, said.

To see if your computer is infected with DNSChanger, visit the FBI website here.