FBI Pinches $14M Click Fraud Clique

Seven members of a massive alleged Internet fraud ring have been charged by the U.S. Attorney for the Southern District of New York.

The ring infected more than 4 million computers worldwide with malware and rerouted online searches fraudulently to websites and ads, which then paid the ring’s members for those hits, according to authorities.

About 500,000 of those computers were in the U.S. They included systems in the National Aeronautics and Space Administration, other U.S. government agencies, and private businesses.

The charges were laid after a two-year investigation by the FBI nicknamed “Operation Ghost Click.”

However, the battle against the fraudsters has just begun. Only six of the seven are in custody, in Estonia, and the U.S. aims to extradite them.

Carly Sullivan, a spokesperson for the U. S. Attorney for the Southern District of New York, declined to provide further comment.

Sure, We’ll Get You the Clicks …

The indictment charges that the defendants controlled and operated various fraudulent online ad publisher networks between 2007 to October 2011.

These networks struck deals with online ad brokers in which the networks would be paid for the number of times users clicked on the links for certain websites or ads, or for how many times certain ads were displayed on certain websites.

The defendants illicitly directed traffic to the websites and ads for which their publisher networks had agreements with online ad brokers, according to the allegations.

DNS Tweaks

The defendants and their coconspirators used rogue domain name system (DNS) servers and malware that would alter DNS server settings on infected computers, the charges state.

The malware, known as “DNS Changer,” was downloaded when people visited infected websites or downloaded codecs to view videos online. It changed the DNS settings on victims’ computers to reroute those computers to rogue DNS servers controlled and operated by the alleged cyberfraud ring.

Two methods of rerouting were used. One was click hijacking, better known as “clickjacking,” and the other was replacement of ads on a website with ads the defendants would get paid for.

Clickjacking occurs when an attacker tricks a user into clicking on a hidden button or link on a page instead of the legit button or link on that page itself.

For example, when the user of an infected computer clicked on a domain name link for the official site of the Internal Revenue Service, the user was rerouted instead to the website for tax preparers H&R Block, the charges allege.

Substituting Ads

Using the DNS Changer malware and their rogue DNS servers, the alleged cyberfraud artists replaced legit ads on websites with ads that would trigger payments to them, the charges state.

For example, an ad for Windows Internet Explorer 8 had been fraudulently replaced with an ad for an email marketing business on the Amazon.com website, according to the charges.

Other Malware Monkeyshines

The malware also prevented infected computers from receiving antivirus software updates or operating system updates that might have detected and stopped it, the charges alleged.

Further, infected computers were left vulnerable to infections by other viruses.

The defendants and their coconspirators earned at least US$14 million through their cyberfraud activities, according to the charges.

They allegedly laundered the money through various companies, including Rove Digital, an Estonian corporation.

Each defendant has been charged with five counts of wire and computer intrusion crimes, and one of them, Vladimir Tsastsin, has been hit with an additional 22 counts of money laundering.

Their financial accounts have been frozen and their network of U.S.-based computers has been disabled.

The defendants face five to 30 years in prison on each of the five counts they face, and Tsastsin faces an additional 10 years in prison on each of the counts of money laundering he’s charged with.

Where the (Bad) Boys Are

Six of the seven defendants are Estonian and are now in the custody of the Estonian police.

The U.S. will seek to extradite them.

The seventh, Russian national Andrey Taame, was not rounded up, and FBI spokesperson Peter Donald told the E-Commerce Times that he’s still at large.