Today the FBI and NASA's Office of the Inspector General (NASA-OIG) announced "Operation: Ghost Click" and the arrests of six Estonian criminals who have been involved in this scam since 2007.
Those arrested by the Estonian Police and Border Guard Board were:
Vladimir Tsastsin, age 31
Andrey Taame, age 31, Russian, is still at large
We were especially pleased by the sidebar entitled "Success Through Partnerships".
A complex international investigation such as Operation Ghost Click could only have been successful through the strong working relationships between law enforcement, private industry, and our international partners.
Announcing today’s arrests, Preet Bharara, (above left) U.S. Attorney for the Southern District of New York, praised the investigative work of the FBI, NASA’s Office of Inspector General (OIG), the Estonian Police and Border Guard Board, and he specially thanked the National High Tech Crime Unit of the Dutch National Police Agency. In addition, the FBI and NASA-OIG received assistance from multiple domestic and international private sector partners, including Georgia Tech University, Internet Systems Consortium, Mandiant, National Cyber-Forensics and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, University of Alabama at Birmingham, and members of an ad hoc group of subject matter experts known as the DNS Changer Working Group (DCWG).
The Manhattan U.S. Attorney's office released a much more detailed announcement with the headline Manhattan U.S. Attorney Charges Seven Individuals for Engineering Sophisticated Internet Fraud Scheme That Infected Millions of Computers Worldwide and Manipulated Internet Advertising Business:
Malware Secretly Re-Routed More Than 4 Million Computers, Generating at Least $14 Million in Fraudulent Advertising Fees for the Defendants.
Congratulations to all who were involved! Especially to the FBI's Botnet Threat Focus Cell, NASA's incredible Office of the Inspector General, the FBI's Southern District of New York office, and those who attended Bar-Con in 2009.
What is DNS? DNS, or Domain Name Services, is what tells your computer how to find the website you are looking for by turning the name you type, such as www.fbi.gov, into an IP address, such as 18.104.22.168. For most users, this happens by asking the Name Server at your Internet Service Provider.
Pay Per Click Fraud
If you were infected by this DNSChanger malware, instead of asking your ISP for that information, you would be asking a criminal. MOST of the time the criminals would simply give you the same answer that your ISP would give you ... but whenever they wanted to make some extra money, they could tell your computer the wrong answer!
In an example taken from the indictment, an infected user goes to Google and types in "itunes". The first link that they are returned shows the destination "www.apple.com/itunes/" which the real Apple website where someone can download the iTunes software.
(source: Tsastsin Indictment)
When an infected computer clicks the link, the user's computer would go to the criminal's nameserver who would send them to the wrong computer. In this case, instead of going to "apple.com" the user is sent to "www.idownload-store-music.com" which looks just like the Apple store, but which charges your credit card to sell you iTunes! The criminals received a payment each time they sent someone to this fake websites.
In other examples, the company where the traffic is sent to is a legitimate company. For example, H&R Block, the Tax preparation people, have an affiliate program. If you have a website, you can put an ad on your website that advertises the H&R Block website. If people click on your ad, you might receive a tiny amount of money, and if they buy something at the H&R website, you might receive a larger amount of money. Instead of advertising, the criminals made a link that redirected you to the H&R Block website if you tried to visit www.irs.gov. So, because you were using the criminal's nameserver, if you typed or clicked on "irs.gov" you could be redirected to H&R Block, earning an "affiliate payment" for the criminals!
The other way the criminal earned money was to replace your ads with their ads. How does that earn money? The most common way is that when your computer is told to go get an advertisement from a certain website, such as Google or Bing or Yahoo, instead of showing you the advertisement from those organizations, it would show you an ad from an organization that was run by the criminal instead.
In an example for the court documents, a visitor to ESPN's webpage should have seen an advertisement for Dr. Pepper. But when the infected computer visited the webpage, the criminal's nameserver redirected the request to an advertisement for a timeshare instead!
More than 4 million computers in 100 countries, including 500,000 computers in the United States were infected with this malware. The earnings generated by these young men from the false advertisements exceeded $14 Million Dollars!
In addition to using the nameserver to send false advertisements, the criminals also used the nameserver to stop infected computers from being able to reach their anti-virus vendors. This prevented the user from being able to install new anti-virus products or to update the definitions on their existing anti-virus products. If the computer attempted to visit any major anti-virus, it would simply give an error saying the server was unavailable.
All the criminals are charged with:
1. Wire fraud conspiracy
2. Computer intrusion conspiracy
3. Wire fraud
4. Computer intrusion (furthering fraud)
5. Computer intrusion
In addition, the ringleader, Vladimir Tsastsin was charged with:
6. Money laundering
7. Engaging in monetary transactions of value over $10,000 involving fraud proceeds.
So, Are you infected?
The Protective Order associated with this case lists the IP addresses involved in the fake nameserver business.
22.214.171.124 through 126.96.36.199
188.8.131.52 through 184.108.40.206
220.127.116.11 through 18.104.22.168
22.214.171.124 through 126.96.36.199
188.8.131.52 through 184.108.40.206
220.127.116.11 through 18.104.22.168
The FBI has provided a helpful document that explains how to check your DNS settings to see whether you are using one of these "Rogue DNS Servers". See DNSChanger Malware.
If your IP address is on the list, you are encouraged to fill out the form Register as a Victim of DNS Malware.
The criminals used many different data centers, some of which were featured more prominently in the case than others.
Pilosoft, in New York City known as "The Manhattan Data Center" in the court documents.
ColoSecure, in Chicago, Illinois
ThePlanet, in Houston, Texas
Multacom Corporation, in Canyon County, California
Layered Technologies, in Plano, Texas
Network Operation Center, in Scranton, Pennsylvania
Wholesale Internet, in Kansas City, Missouri
SingleHop, in Chicago, Illinois
PremiaNet, in Las Vegas, Nevada
Interserver, in Secaucus, New Jersey
ISPrime, in Weehawken, New Jersey
Global Net Access, in Atlanta, Georgia
The big challenge faced by this case was this -- if the FBI were to simply "turn off" all of these nameservers, four million computers would no longer be able to find anything on the Internet! If your computer has been programmed by the DNSChanger malware to look up names using the criminals' nameserver, and that nameserver goes away, there is no "fall back" to use some other nameserver, your computer just stops being able to look up names! If that had happened, when you typed in "www.facebook.com" your computer would say something like "No Such Server" or "Host Unknown". Then you couldn't play Farmville! How sad!
To address this challenge, the FBI filed a Protective Order that identified all of the Rogue DNS Servers, and assigned the IP addresses belonging to those servers to the Internet Systems Consortium, or ISC. ISC established "replacement DNS servers" that would behave properly, and replaced all of the "Rogue DNS servers" with properly configured DNS servers. After this was accomplished, none of the infected computers would be redirected to the wrong content anymore, and they would once again be able to update their anti-virus software.
The other benefit of this action is that ISC is now in a position to be able to compile a list of the computers that have been infected. Each time a computer uses one of the formerly Rogue DNS servers, ISC will log that action so that we can have accurate knowledge of how many computers have been infected, and this class of victims can be offered assistance.
The Protective Order was approved by the Honorable William H. Pauly III on November 3rd in the Southern District of New York.
The Criminal Companies
The Estonian criminals controlled a number of corporations to enable this activity.
Rove Digital, in Estonia, was a software development company that created and managed the malware.
Tamme Arendus, also in Estonia, was a real estate development business that acquired most of Rove's assets.
SPB Group was the name of the company that leased the Manhattan Data Center from Pilosoft.
Cernel Inc, in California, Internet Path Limited, in New York, Promnet Limited, in Ukraine, ProLite Limited, in Russia, Front Communications, in New York, and others were involved with registering thousands of IP addresses that were used by the criminals for various activities.
Furox Aps (Gathi.com), Onwa Limited (Uttersearch.com), Lintor Limited (Crossnets.com) and others were used to create and broker advertising deals which would be used in the Replacement Ad schemese.
Other Things You Must Read
TrendMicro's Malware Blog - EstHost Taken Down - Biggest Cybercriminal Takedown in History - An important link that must be pointed out. Vladimir Tsastsin, the CEO of Rove Digital, was also the CEO of EstHost, one of the first registrars to have its ICANN Accreditation pulled because of criminal activity.
TrendMicro: A Cybercrime Hub - this report, in August 2009, laid out the basics of the criminal activity that Trend had been able to identify. Industry contributions such as this are part of the "Partnership for Success" that the FBI spoke about today, and TrendMicro really lead the way on this case!
Brian Krebs authoritative journalism on Vladimir - "EstDomains: A Sordid History and a Storied CEO"
SpamHaus ROKSO file on Rove Digital - ROKSO File (Registry Of Known Spam Offenders) on Rove Digital
Newsweek calls Rove Digital one of the "Top Ten Spammers" -(December 2009).