Heist almighty! Cyber gang stole US$14m in click jack scam

10 Nov 2011

Cyber criminals in Estonia have been arrested for a massive cyber fraud that netted them US$14m. Six criminals have been caught while a seventh gang member is on the run.

In what has been labelled the biggest cyber criminal take-down in history, police discovered that the fraudsters had infected over 4m computers. NASA discovered the malicious software on 130 of its computers.

The fraud scheme – which took in governments, schools and corporate – rerouted traffic to websites where the gang would get a cut of the advertising revenue.

In what is known as click jacking, the gang would redirect innocent computer users away from the sites they wanted to visit such as Amazon.com or Google.

In an operation dubbed “Operation Ghost Click” by the FBI, two data centres in New York City and Chicago were raided and a command & control (C&C) infrastructure consisting of more than 100 servers was taken offline.

At the same time the Estonian police arrested several members in Tartu, Estonia.

According to Trend Micro the botnet consisted of infected computers whose Domain Name Server (DNS) settings were changed to point to foreign IP addresses. DNS servers resolve human readable domain names to IP addresses that are assigned to computer servers on the Internet. Most internet users automatically use the DNS servers of their Internet Service Provider.

DNS-changing Trojans silently modify computer settings to use foreign DNS servers. These DNS servers are set up by malicious third parties and translate certain domains to malicious IP addresses. As a result, victims are redirected to possibly malicious websites without detection.

A variety of methods of monetising the DNS Changer botnet is being used by criminals, including replacing advertisements on websites that are loaded by victims, hijacking of search results and pushing additional malware.

How the Estonian click jacking scam worked

Beginning in 2007, the cyber ring used DNSChanger to infect approximately 4 million computers in more than 100 countries. There were about 500,000 infections in the U.S., including computers belonging to individuals, businesses, and government agencies such as NASA.

The thieves were able to manipulate internet advertising to generate at least US$14m in illicit fees. In some cases, the malware had the additional effect of preventing users’ anti-virus software and operating systems from updating, thereby exposing infected machines to even more malicious software.

“They were organised and operating as a traditional business but profiting illegally as the result of the malware,” said one of the FBI’scyber agents who worked the case.

“There was a level of complexity here that we haven’t seen before.”

The FBI’s New York assistant director Janice Fedarcyk said: “Today, with the flip of a switch, the FBI and our partners dismantled the Rove criminal enterprise.

“Thanks to the collective effort across the US and in Estonia, six leaders of the criminal enterprise have been arrested and numerous servers operated by the criminal organization have been disabled.

“Additionally, thanks to a coordinated effort of trusted industry partners, a mitigation plan commenced today, beginning with the replacement of rogue DNS servers with clean DNS servers to keep millions online, while providing ISPs the opportunity to coordinate user remediation efforts,” Fedarcyk said.