November 10, 2011, 11:43 AM — The details laid out by the U.S. Department of Justice of a malware-based advertising fraud scheme are breathtaking.
Seven people -- six Estonians and one Russian -- ran a four-year operation that netted $14 million in ad revenue by placing malware redirecting Internet searches to bogus sites onto more than 4 million computers worldwide, including devices owned by U.S. government agencies such as the National Aeronautics and Space Administration, which had 130 infected devices.
More than 500,000 individuals, businesses and government agencies in the U.S. were victimized by the scheme, which began as far back as 2007 and was first uncovered when malware was detected on dozens of NASA computers, the U.S. Department of Justice said in a 27-count indictment unsealed Wednesday in a federal court in New York.
According to prosecuting U.S. Attorney Preet Bharara, the rogue operation was unprecedented in its ambition.
“We believe this criminal case is the first of its kind and arises from a cyber infrastructure of the first order,” Bharara said in a press conference on Wednesday. “The defendants were cyber-bandits who hijacked those computers at will, controlling and masquerading as legitimate Internet websites.”
How'd they do it? Here's what the DoJ says (bold is mine):
As alleged in the Indictment, from 2007 until October 2011, the defendants controlled and operated various companies that masqueraded as legitimate publisher networks (the “Publisher Networks”) in the Internet advertising industry. The Publisher Networks entered into agreements with ad brokers under which they were paid based on the number of times that Internet users clicked on the links for certain websites or advertisements, or based on the number of times that certain advertisements were displayed on certain websites. Thus, the more traffic to the advertisers’ websites and display ads, the more money the defendants earned under their agreements with the ad brokers. As alleged in the Indictment, the defendants fraudulently increased the traffic to the websites and advertisements that would earn them money. They accomplished this by making it appear to advertisers that the Internet traffic came from legitimate clicks and ad displays on the defendants’ Publisher Networks when, in actuality, it had not.
To carry out the scheme, the defendants and their co-conspirators used what are known as “rogue” Domain Name System (“DNS”) servers, and malware (“the Malware”) that was designed to alter the DNS server settings on infected computers.