A band of Estonian and Russia cybercriminals infected at least 4 million computers worldwide with a virus and used a complex ad click-fraud scheme to pocket $14 million, federal authorities alleged Wednesday.
The scheme operated from 2007 to October of this year, according to an indictment filed in the Southern District of New York and unsealed on Wednesday. The operation was shut down in October.
Consumers caught up in the scheme -- including at least 500,000 victims in the U.S. -- were unaware that their everyday Web browsing contributed to the scheme. When infected users visited popular Web sites like Apple's iTunes, Netflix, ESPN.com or WSJ.com, advertisements in the sites were replaced by ads controlled by the hackers, earning them illicit gains through advertising affiliate arrangements. The scam is sometimes called "advertising replacement fraud."
The same virus also altered search engine results so consumers who clicked on some links were rerouted to websites designated by the defendants, which triggered payments under advertising contracts.
In one example cited in the indictment, a user who clicked on a link for the Internal Revenue Service after searching for "IRS" at Yahoo.com was instead redirected to an H&R Block tax preparation website.
The malicious software also prevented victims from connecting with their antivirus software providers and updating their software, so the virus would evade detection.
Six suspects were arrested in Estonia on Tuesday, said Assistant U.S. Attorney Preet Bhahara. One suspect is still at large. The suspects face 27 charges, including wire fraud and computer intrusion. Government computers, including at least 100 computers at NASA, were infected in the scheme, the indictment alleges.
When consumers type in typical Web addresses, such as www.msnbc.com, that address is converted to a numerical Internet Protocol address utilizing a trusted Domain Name Server on the Internet. But files located on each local computer can tell a victim's machine to get their DNS information from a different computer on the Internet. The computer criminals infected computers in 100 countries, directing them to loop for DNS information from a set of hacker-controlled machines in Chicago and New York, according to the indictment. This enabled to criminals to serve up rogue ads and earn commissions no them.
The U.S. Attorney's Office called the scheme "massive and sophisticated," in its indictment, and implied that many victims have not yet been discovered.
Bhahara credited Estonian authorities with assistance in the case, called the case "the first of its kind." The NASA infections tipped off U.S. investigators to the scheme, Bhahara said.
In an effort to obtain additional evidence, and to identify more victims, a third-party firm replaced the rogue DNS servers with "clean" government-controlled DNS servers, and will continue to operate them for the next 120 days, logging connections and keeping track of infected computers. FBI agents are also using the data to inform Internet service providers about infected consumers.
The FBI has has more details about the allegations on its Web site. It also wants to hear from consumers who think their computer is infected, and offers a tool for testing your Internet connection on that site. Standard, up-to-date antivirus software should detect the virus.