Behind the 'massive' malware ad-revenue fraud case

U.S. Department of Justice lays out global fraud scheme of staggering proportions

The details laid out by the U.S. Department of Justice of a malware-based advertising fraud scheme are breathtaking.

Seven people -- six Estonians and one Russian -- ran a four-year operation that netted $14 million in ad revenue by placing malware redirecting Internet searches to bogus sites onto more than 4 million computers worldwide, including devices owned by U.S. government agencies such as the National Aeronautics and Space Administration, which had 130 infected devices.

More than 500,000 individuals, businesses and government agencies in the U.S. were victimized by the scheme, which began as far back as 2007 and was first uncovered when malware was detected on dozens of NASA computers, the U.S. Department of Justice said in a 27-count indictment unsealed Wednesday in a federal court in New York.

According to prosecuting U.S. Attorney Preet Bharara, the rogue operation was unprecedented in its ambition.

“We believe this criminal case is the first of its kind and arises from a cyber infrastructure of the first order,” Bharara said in a press conference on Wednesday. “The defendants were cyber-bandits who hijacked those computers at will, controlling and masquerading as legitimate Internet websites.”

How'd they do it? Here's what the DoJ says (bold is mine):

As alleged in the Indictment, from 2007 until October 2011, the defendants controlled and operated various companies that masqueraded as legitimate publisher networks (the “Publisher Networks”) in the Internet advertising industry. The Publisher Networks entered into agreements with ad brokers under which they were paid based on the number of times that Internet users clicked on the links for certain websites or advertisements, or based on the number of times that certain advertisements were displayed on certain websites. Thus, the more traffic to the advertisers’ websites and display ads, the more money the defendants earned under their agreements with the ad brokers. As alleged in the Indictment, the defendants fraudulently increased the traffic to the websites and advertisements that would earn them money. They accomplished this by making it appear to advertisers that the Internet traffic came from legitimate clicks and ad displays on the defendants’ Publisher Networks when, in actuality, it had not.

To carry out the scheme, the defendants and their co-conspirators used what are known as “rogue” Domain Name System (“DNS”) servers, and malware (“the Malware”) that was designed to alter the DNS server settings on infected computers. Victims’ computers became infected with the Malware when they visited certain websites or downloaded certain software to view videos online. The Malware altered the DNS server settings on victims’ computers to route the infected computers to rogue DNS servers controlled and operated by the defendants and their co-conspirators. The re-routing took two forms that are described in detail below: “click hijacking” and “advertising replacement fraud.” The Malware also prevented the infected computers from receiving anti-virus software updates or operating system updates that otherwise might have detected the Malware and stopped it. In addition, the infected computers were also left vulnerable to infections by other viruses.

Click Hijacking

When the user of an infected computer clicked on a search result link displayed through a search engine query, the Malware caused the computer to be re-routed to a different website. Instead of being brought to the website to which the user asked to go, the user was brought to a website designated by the defendants. Each “click” triggered payment to the defendants under their advertising agreements. This click hijacking occurred for clicks on unpaid links that appear in response to a user’s query as well as clicks on “sponsored” links or advertisements that appear in response to a user’s query—often at the top of, or to the right of, the search results—thus causing the search engines to lose money. Several examples of click hijacking illustrated in the Indictment include:

* When the user of an infected computer clicked on the domain name link for the official website of Apple-iTunes, the user was instead taken to a website for a business unaffiliated with Apple Inc. that purported to sell Apple software.

* When the user of an infected computer clicked on a domain name link for Netflix, the user was instead taken to a website for an unrelated business called “BudgetMatch.”

* When the user of an infected computer clicked on the domain name link for the official government website of the Internal Revenue Service, the user was instead taken to the website for H&R Block, a major tax preparation business.

Advertising Replacement Fraud

Using the DNS Changer Malware and rogue DNS servers, the defendants also replaced legitimate advertisements on websites with substituted advertisements that triggered payments to the defendants. Several examples of the advertising replacement fraud illustrated in the Indictment include:

* When the user of an infected computer visited the home page of the Wall Street Journal, a featured advertisement for the American Express “Plum Card” had been fraudulently replaced with an ad for “Fashion Girl LA.”

* When the user of an infected computer visited the Amazon.com website, a prominent advertisement for Windows Internet Explorer 8 had been fraudulently replaced with an ad for an email marketing business.

* When the user of an infected computer visited the ESPN website, a prominent advertisement for “Dr. Pepper Ten” had been fraudulently replaced with an ad for a timeshare business.

The defendants earned millions of dollars under their advertising agreements, not by legitimately displaying advertisements through their Publisher Networks, but rather by using the Malware to fraudulently drive Internet traffic to the websites and ads that would earn them more money. As a result, the defendants and their co-conspirators earned at least $14 million in ill-gotten gains through click hijacking and advertisement replacement fraud. The Indictment further alleges that the defendants laundered the proceeds of the scheme through numerous companies including, among others, Rove Digital, an Estonian corporation, and others listed in the Indictment.

That's quite a cybercriminal operation, assuming the facts in the indictment are correct.

In addition to the people, businesses and agencies whose computers were hijacked, legitimate websites and advertisers also were victims of the conspiracy, the DoJ said. The advertisers "lost money by paying for clicks that they believed came from interested computer users, but which were in fact fraudulently engineered by the defendants," the indictment said.

The DoJ also points out that advertisers faced "reputational harm" for being associated, even unknowingly, with the scam. Which is why I'm sure "Fashion Girl LA" executives are thrilled to see their company's name in the indictment that is being quoted all over the Internet.

The six Estonians are in custody in Estonia, while the Russian suspect is at large. They each face charges of wire fraud conspiracy (30 years' maximum sentence), wire fraud (30 years), computer intrusion conspiracy (10 years), computer intrusion transmitting information (10) and computer intrusion furthering fraud (5). In addition, alleged ringleader Vladimir Tsastsin also faces charges of money laundering (30 years) and engaging in monetary transactions of value over $10,000 involving fraud proceeds (10 years per count).

All this is yet another reminder that much of what you see on the Internet isn't real. So be careful out there.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies