FBI Disrupts Search Hijack Gang After $14 Million Fraud

The FBI has closed the net on an Estonian gang accused of being behind an extraordinary four-year multinational malware campaign said to have netted $14 million (8.8 million) in proceeds after infecting hundreds of thousands of PCs and Macs.

That both Macs and PCs users were targeted by the gang is only the first unusual feature of a case that began as far back as 2006 with a piece of botnet-building malware called DNSChanger.

It’s not clear from the official reports which variant of this once-common malware the gang used but the underlying technique was to redirect infected users via rogue DNS servers which, it has now been revealed, were based in US datacentres rather than the gang’s Baltic homeland.

The effect of this malware ranged from straight click fraud – sending user searches to sites chosen by the gang to generate advertising fees – to directing visits to big Internet brands such as iTunes to fraudulent sites. The malware was also used to spread Fake antivirus products and just about any malware that could add profit to the business model.

During the two-year ‘Operation Ghost Click’ investigation into the criminals behind the DNSChanger scam, the FBI estimated that as many as 500,000 computers could have been affected by malware in the US alone, “including computers belonging to individuals, businesses, and government agencies such as NASA.”

Globally, 4 million computers were affected, according to Trend Micro, which was able to offer extensive help to the FBI in its investigations having tracked the gang’s activities over several years.

What really makes the affair stand out is the way the gang allegedly turned the DNSchanger bot into a full-fledged business complete with a string of companies under the auspices of a parent. Rove Digital, an apparently legitimate Estonian IT outfit.

As Trend explains in a blog on the subject, Rove built resilience into its operations by spreading its infrastructure far beyond its homeland in a bid to make it harder to disrupt from a single point.

“They were organised and operating as a traditional business but profiting illegally as the result of the malware. There was a level of complexity here that we haven’t seen before,” said Janice Fedarcyk, FBI New York assistant director, announcing the arrests in Estonia, from where authorities will seek extradition of the accused.

Although Operation Ghost Click will be seen as another example of a malware gang getting it comeuppance, it is still relatively rare for organisations such as the FBI to reach beyond US borders on in search of criminals targeting US citizens. The arrests that have taken place in the past have tended to involve a local element.

Despite failling out of fashion, DNSChanger malware has been used widely in a variety of scams unconnected with this case. An up-to-date antivirus product will spot such software fairly easily but just in case Trend is offering advice on how to examine a PC or Mac manually for signs of trouble.