The FBI has charged seven people with using malware to manipulate online advertising and infect more than four million computers in more than 100 countries.
Six of the defendants are Estonians who are charged with wire fraud and conspiracy in a 27-count indictment unsealed today by Manhattan US Attorney Preet Bharara. The seventh defendant, Russian Andrey Taame, remains at large.
According to Bloomberg, the victims included at least half a million individuals, businesses in the US and government agencies, including NASA.
Named ‘Operation Ghost Click' due to the way that attackers changed domain name server (DNS) settings, the FBI said that the infections caused infected users to be directed to rogue results to generate revenue for the botnet owners. The cyber criminals also allegedly replaced legitimate internet ads with substitutes that triggered millions of dollars of advertising payments for themselves.
Bharara said: “These defendants gave new meaning to the term ‘false advertising'. As alleged, they were international cyber bandits who hijacked millions of computers at will and re-routed them to websites and advertisements of their own choosing, collecting millions in undeserved commissions for all the hijacked computer clicks and internet ads they fraudulently engineered.
“The international cyber threat is perhaps the most significant challenge faced by law enforcement and national security agencies today, and this case is just perhaps the tip of the Internet iceberg. It is also an example of the success that can be achieved when international law enforcement works together to root out internet crime.”
Following a two-year investigation, Bharara said the government "pulled the plug" on rogue data servers used in New York, Chicago and other US cities yesterday at 3am.
Using DNSChanger malware to infect computers, the attackers were able to manipulate internet advertising to generate at least $14m in illicit fees. The FBI also claimed that in some cases, the malware had the additional effect of preventing users' anti-virus software and operating systems from updating, thereby exposing infected machines to even more malicious software.
At the government's request, US District Judge William Pauley in New York has appointed an independent receiver to replace the defendants' unplugged servers with clean servers, and FBI officials said they are now in the process of working with 32,000 internet service providers worldwide, which in turn may notify individual victims.
Rik Ferguson, director of security research and communication EMEA at Trend Micro, said: “This concerted action against an entrenched criminal gang is highly significant and represents the biggest cyber criminal takedown in history. Six people have been arrested through multinational law enforcement co-operation based on solid intelligence supplied by Trend Micro and other industry partners."