Authorities in the United States and Estonia have broken up one of the largest Internet crime schemes that infected more than 4 million computers with malware, which redirected users to websites that generated at least $14 million in fraudulent advertising fees.
American law enforcement authorities are seeking the extradition from Estonia of six Estonians who were arrested Tuesday. A seventh suspect, a Russian, remains at large.
The arrests concluded a two-year international investigation authorities labeled Operation Ghost Click.
According to the U.S. Justice Department, the malware secretly altered the settings on infected computers in 100 countries, including 500,000 in the United States, enabling the defendants to digitally hijack Internet searches and re-route computers to certain websites and advertisements, which entitled the defendants to be paid. "These defendants gave new meaning to the term, 'false advertising,'" Preet Bharara, the United States Attorney for the Southern District of New York, said in a statement announcing the arrests.
Authorities said the defendants subsequently received fees each time these websites or ads were clicked on or viewed by users. The malware also prevented the installation of anti-virus software and operating system updates on infected computers, leaving those computers and their users unable to detect or stop the defendants' malware, and exposing them to attacks by other viruses.
An indictment, handed up on Tuesday, alleges that from 2008 until last month the defendants controlled and operated various companies that masqueraded as legitimate publisher networks in the Internet advertising industry. The defendants allegedly fraudulently increased the traffic to the websites and advertisements that would earn them money by making it appear to advertisers that the Internet traffic came from legitimate clicks and ad displays when, in actuality, they had not.
(Story continues after graphic)
To carry out the scheme, the indictment says, the defendants used rogue domain name system servers, and that was designed to alter the DNS server settings on infected computers. Victims' computers became infected with the malware when they visited certain websites or downloaded certain software to view videos online. The malware altered the DNS server settings on victims' computers to route the infected computers to rogue DNS servers controlled and operated by the defendants. The re-routing took two forms: click hijacking and advertising replacement fraud.
Click hijacking occurs when a user of an infected computer clicks on a search result link but is route to a fraudulent website. For instance, when a user clicks on the domain name link for the Internal Revenue Service, she's instead taken to a website for tax preparer H&R Block.
Using malware known as DNS Changer and rogue DNS servers, the defendants also replaced legitimate advertisements on websites with substituted advertisements that triggered payments to the defendants, authorities allege. One such case: when the user of an infected computer visited WSJ.com, a featured advertisement for the American Express Plum Card had been fraudulently replaced with an ad for Fashion Girl LA.
Authorities said the defendants' alleged scheme deprived legitimate website operators and advertisers of substantial monies and advertising revenue.
The Justice Department charged each defendant with five counts of wire and computer intrusion crimes; one defendant -- Vladimir Tsastsin, 31 - also was charged with 22 counts of money laundering. Authorities identified the other defendants as Timur Gerassimenko, 31, Dmitri Jegorov, 33, Valeri Aleksejev, 31, Konstantin Poltev, 28, and Anton Ivanov, 26. The Russian suspect is Andrey Taame, 31.
Each of the counts carries sentences of between five and 30 years in prison.