Seven Eastern European men have been charged in New York with operating a clickjacking scheme that infected more than 4 million computers in order to hijack surfers trying to get to the iTunes store or the IRS. The enterprise allegedly netted the crooks more than $14 million.
The scam appears to have begun in 2007 and involved six Estonians and one Russian, all residing in Eastern Europe, who allegedly used multiple front companies to operate their intricate scam, which included a bogus internet advertising agency, according to the 62-page indictment (.pdf), unsealed Wednesday in the Southern District of New York.
The bogus agency contracted with online advertisers who would pay a small commission each time users clicked on their ads, or landed on their website.
To optimize the payback opportunities, the suspects then infected computers in more than 100 countries with malicious software called DNSChanger to ensure that users would visit the sites of their online advertising partners. The malware altered the DNS server settings on target machines in order to direct victims’ browsers to a DNS server controlled by the defendants, which then directed browsers to sites that would pay a fee to the defendants.
For example, users who clicked on a link on a search results page would have their browsers directed not to the legitimate destination page but to a different page designated by the defendants.
An infected user who searched for Apple’s iTunes store and clicked on the legitimate Apple link at the top of the page would be directed instead to www.idownload-store-music.com, a site purporting to sell Apple software. Users trying to access the government’s Internal Revenue Service site were redirected to a web site for H & R Block, a top tax preparation business in the U.S. The suspects received a fee for every visitor directed to the site.
At least half a million machines in the U.S. were infected with the malware, including ones belonging to the National Aeronautics and Space Administration (NASA) and other unnamed government agencies.
In addition to redirecting the browsers of infected users, the malware also prevented infected machines from downloading security updates to operating systems or updates to antivirus software that might have helped detect the malware and stop it from operating. When an infected user’s machine tried to access a software update page, that person would get a message saying the site was currently unavailable. In blocking the updates, infected users were also left open to infections from other malware as well.
Vladimir Tsastsin, Timur Gerassimenko, Dmitri Jegorow, Valeri Aleksejev, Konstantin Poltev and Anton Ivanov of Estonia and Andrey Taame of Russia have been charged with 27 counts of wire fraud and other computer-related crimes.
The Federal Bureau of Investigation has provided a handout to users (.pdf) to help them determine if their system might be infected with the malware. Individuals who think they might be infected are being asked to submit an online form to the Bureau.
The Internet Systems Consortium has also been tasked with operating a DNS server that replaces the defendants’ rogue DNS server. The ISC will be collecting IP addresses that contact this server in order to determine which systems might be infected. According to a protective order submitted to the court by the government, however, ISC is not authorized to collect any other data from the computers, such as the search terms that led them to the DNS server.