FBI Smashes $14 Million Click-Fraud Cyber-Gang

US and Estonian law enforcement officers have arrested six people for a sophisticated clickjacking scam

In the US, the Federal Bureau of Investigation (FBI) and its international partners have charged six individuals with conducting a sophisticated click-fraud scheme that netted them millions of dollars, the federal agency said.

The cyber-ring infected about four million computers in 100 countries with malware and pocketed at least $14 million (£9m)by manipulating online advertisements, the FBI said. Six people were arrested in Estonia on 8 November. The seventh member of the gang, a Russian national, remains at large, according to the FBI.

The United States is trying to extradite the criminals to stand trial in New York, the FBI said. The US Attorney’s office has charged the defendants with five counts of wire and computer intrusion crimes. One defendant has also been charged with 22 counts of money laundering.

Intricate conspiracy

The indictment, which was unsealed in New York on 8 November, “describes an intricate international conspiracy conceived and carried out by sophisticated criminals”, Janice Fedarcyk, assistant director in charge of the FBI New York office, said in a statement.

In “Operation Ghost Click“, the FBI spent two years tracking down the gang that was using DNSChanger, malware that manipulated online ads through clickjacking, which is a technique that allows fraudsters to trick Web users to go to Websites that they control or to click on ads that generate revenue for the fraud perpetrators.

Authorities have seized defendants’ computers, froze bank accounts, and seized hard drives from more than 100 rogue servers in data centres located inNew YorkandChicagothat were suspected of being part of the command and control infrastructure.

At least 500,000 computers that had been infected were located in theUnited States, including systems belonging to NASA and other government agencies, education institutions, non-profit organisations, enterprises , and home users.

The DNSChanger malware targeted the Domain Name System (DNS), a phone-book style directory system which translates domain names for Websites the user knows, such as Apple.com, into actual IP addresses belonging to the servers. Thanks to DNS, users do not have to know the exact numeric address for each server. However, DNSChanger could change the DNS settings on compromised machines to point to malicious DNS servers instead of the one belonging to the network or the Internet service provider, according to the FBI.

User redirection

When surfing the Web, the malicious DNS servers would direct users to different servers. For example, if the user was trying to get to iTunes, the rogue server would send users to a different server and try to sell Apple products. The defendants collected payments any time a user clicked on an advertisement on these fake sites, which mimicked Netflix, the Internal Revenue Service, ESPN, Amazon, and others, the indictment said.

In another form of the campaign, the criminals hijacked search results and replaced advertisements on Websites, Paul Ferguson, senior threat researcher at Trend Micro, told eWEEK. Instead of loading ads from Doubleclick or other third-party advertising networks on the page the user had landed on, the malicious DNS servers served up ads from a network under their control, Ferguson said. As far as the user was concerned, the page was legitimate; it was just the ads that had been replaced, he said.

“They victimised legitimate website operators and advertisers who missed out on income through click hijacking and ad replacement fraud,” FBI’s Fedarcyk said.

There were several variations of the malware, according to Ferguson. The gang’s purpose was not to try to push more malware or steal information, but to monetise clickthroughs by stealing “traffic from legitimate advertisers”, he said.

The FBI has replaced the rogue DNS servers with legitimate servers, but users remain infected with the DNSChanger malware. The FBI has put up a site where users can check the DNS settings on their computers to figure out if they have been infected. Removing the malware itself is not difficult, but the challenge lies in identifying all the victims, he said, calling the effort “ongoing remediation”.

The legitimate servers will log connections and keep track of infected computers hitting the servers so that the FBI can provide the information to ISPs who will notify users and help clean up the infection. Since DNS settings generally do not expire for 120 days, the ISPs will be busy trying to clean up infected users over the next four months, Ferguson said.