We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

FBI disrupts search hijack gang after $14 million fraud

Five-year campaign affected PCs and Macs

The FBI has closed the net on an Estonian gang accused of being behind an extraordinary four-year multinational malware campaign said to have netted $14 million (£8.8 million) in proceeds after infecting hundreds of thousands of PCs and Macs.

That both Macs and PCs users were targeted by the gang is only the first unusual feature of a case that began as far back as 2006 with a piece of botnet-building malware called DNSChanger.

It's not clear from the official reports which variant of this once-common malware the gang used but the underlying technique was to redirect infected users via rogue DNS servers which, it has now been revealed, were based in US datacentres rather than the gang's Baltic homeland.

The effect of this malware ranged from straight click fraud - sending user searches to sites chosen by the gang to generate advertising fees - to directing visits to big Internet brands such as iTunes to fraudulent sites. The malware was also used to spread Fake antivirus products and just about any malware that could add profit to the business model.

During the two-year 'Operation Ghost Click' investigation into the criminals behind the DNSChanger scam, the FBI estimated that as many as 500,000 computers could have been affected by malware in the US alone, "including computers belonging to individuals, businesses, and government agencies such as NASA."

Globally, 4 million computers were affected, according to Trend Micro, which was able to offer extensive help to the FBI in its investigations having tracked the gang's activities over several years.

What really makes the affair stand out is the way the gang allegedly turned the DNSchanger bot into a full-fledged business complete with a string of companies under the auspices of a parent. Rove Digital, an apparently legitimate Estonian IT outfit.

As Trend explains in a blog on the subject, Rove built resilience into its operations by spreading its infrastructure far beyond its homeland in a bid to make it harder to disrupt from a single point.

"They were organised and operating as a traditional business but profiting illegally as the result of the malware. There was a level of complexity here that we haven't seen before," said Janice Fedarcyk, FBI New York assistant director, announcing the arrests in Estonia, from where authorities will seek extradition of the accused.

Although Operation Ghost Click will be seen as another example of a malware gang getting it comeuppance, it is still relatively rare for organisations such as the FBI to reach beyond US borders on in search of criminals targeting US citizens. The arrests that have taken place in the past have tended to involve a local element.

Despite failling out of fashion, DNSChanger malware has been used widely in a variety of scams unconnected with this case. An up-to-date antivirus product will spot such software fairly easily but just in case Trend is offering advice on how to examine a PC or Mac manually for signs of trouble.


IDG UK Sites

Best January sales 2015 UK tech deals LIVE: Best New Year bargains and savings on phones, tablets,...

IDG UK Sites

Chromebooks: ready for the prime time (but not for everybody)

IDG UK Sites

Best Photoshop Tutorials 2014: 10 inspiring step-by-step guides to creating amazing art,...

IDG UK Sites

Mac tips tricks & hacks: 10 things you didn't know your Mac could do