FBI nabs Estonians for massive net advertising fraud

Six Estonians and a Russian have been accused of hijacking millions of computers worldwide to carry out a massive advertising fraud.

Following a two-year operation called Ghost Click, the FBI says it’s established that the gang used DNSChanger malware to infect four million computers – half a million of those in the US, including machines belonging to NASA and other government agencies.

“Today, with the flip of a switch, the FBI and our partners dismantled the Rove criminal enterprise. Thanks to the collective effort across the US and in Estonia, six leaders of the criminal enterprise have been arrested and numerous servers operated by the criminal organization have been disabled,” says FBI assistant director in charge Janice K Fedarcyk.

“Additionally, thanks to a coordinated effort of trusted industry partners, a mitigation plan commenced today, beginning with the replacement of rogue DNS servers with clean DNS servers to keep millions online, while providing ISPs the opportunity to coordinate user remediation efforts.”

The gang used DNSChanger to redirect unsuspecting users to rogue servers that allowed them to manipulate users’ web activity.

When users clicked on the link for the official iTunes website, for example, they were instead taken to a completely different website  that purported to sell Apple software. The criminals are believed to have made at least $14 million from the scam.

“These defendants gave new meaning to the term, ‘false advertising’,” says attorney Preet Bharara.

“As alleged, they were international cyber bandits who hijacked millions of computers at will and re-routed them to internet websites and advertisements of their own choosing—collecting millions in undeserved commissions for all the hijacked computer clicks and Internet ads they fraudulently engineered.”

The six Estonians were taken into custody yesterday by the Estonian authorities, and the US is now hoping to extradite them; the Russian remains at large. US authorities have seized computers and rogue DNS servers at various locations, and replaced the rogue DNS servers with legitimate servers to try and avoid disruption.

However, these replacement servers won’t remove the DNSChanger malware — or other viruses it may have facilitated — from infected computers; users who think they might be infected are being warned to seek professional help.