Estonian company Rove Digital taken down in massive clickjacking fraud sting
Six Estonian nationals were arrested this week, charged with running a massive $14 million clickjacking fraud ring that infected 4 million computers across 100 countries.
Discovered in a two-year FBI sting operation called "Operation Ghost Click," the six men have each been charged with wire fraud, wire fraud conspiracy, computer intrusion conspiracy, computer intrusion (furthering fraud,) and computer intrusion (transmitting information). The head of the group, Vladimir Tsastsin, 31, was additionally charged with 22 counts of money laundering.
A seventh individual involved in the crimes, an unnamed Russian, is reportedly still at large.
The group worked under the name Rove Digital and was a known source of shady Web activity since at least 2006. In "Ghost Click," Rove Digital was using a malware called DNSChanger to build a botnet of 4 million computers in 100 countries. Some 500,000 of those were in U.S. alone, with infections even taking place in government agencies like NASA.
The Malware altered the DNS server settings on victims’ computers to route them to rogue DNS servers that were owned and operated by the group. Infected computers would be sent to sites determined by the group irrespective of the intended destination (for example, when users attempted to go to the IRS site, it would reroute them to H&R Block instead,) and legitimate advertisements on legitimate sites were replaced by ones that benefitted the group.
"Rove Digital is a seemingly legitimate IT company based in Tartu with an office where people work every morning. In reality, the Tartu office is steering millions of compromised hosts all over the world and making millions in ill-gained profits from the bots every year," said Trend Micro senior threat researcher Feike Hacquebord.
According to the Federal court order, the group's DNS servers have been seized and replaced with legitimate ones.
"These defendants gave new meaning to the term, ‘false advertising.’ As alleged, they were international cyber bandits who hijacked millions of computers at will and re-routed them to Internet websites and advertisements of their own choosing—collecting millions in undeserved commissions for all the hijacked computer clicks and Internet ads they fraudulently engineered," said U.S. Attorney Preet Bharara. "The international cyber threat is perhaps the most significant challenge faced by law enforcement and national security agencies today, and this case is just perhaps the tip of the Internet iceberg. It is also an example of the success that can be achieved when international law enforcement works together to root out internet crime. We are committed to continuing our vigilance and efforts—it is essential to our national security, our economic security, and our citizens’ personal security."
The FBI has issued a whitepaper about DNSChanger and how to detect if your computer or network router has been infected, which can be found on the FBI's website.