Internet Ad Fraud: How Hackers Hijacked 4M Computers?

U.S. Federal authorities have charged six Estonian nationals and one Russian national for engaging in a massive and sophisticated Internet fraud scheme that infected more than four million computers located in over 100 countries.

Of the computers infected with malware, at least 500,000 were in the United States, including computers belonging to U.S. government agencies, such as NASA.

The malware secretly altered the settings on infected computers enabling the defendants to digitally hijack Internet searches and re-route computers to certain Web sites and advertisements, which entitled the defendants to be paid. The defendants subsequently received fees each time these Web sites or ads were clicked on or viewed by users.

The malware prevented the installation of anti-virus software and operating system updates on infected computers, leaving those computers and their users unable to detect or stop the defendants' malware, and exposing them to attacks by other viruses.

The authorities said the hackers hijacked 4 million computers in hundred countries, including half a million computers in the United States, rerouting Internet traffic and generating $14 million in illegitimate income.

These defendants gave new meaning to the term, 'false advertising.' As alleged, they were international cyber bandits who hijacked millions of computers at will and re-routed them to Internet Web sites and advertisements of their own choosing-collecting millions in undeserved commissions for all the hijacked computer clicks and Internet ads they fraudulently engineered, said Manhattan U.S. Attorney Preet Bharara.

How the Internet Malware Affected 4 Million Computers

The hackers controlled and operated various companies that masqueraded as legitimate publisher networks in the Internet advertising industry. The publisher networks entered into agreements with ad brokers under which they were paid based on the number of times that Internet users clicked on the links for certain Web sites or advertisements, or based on the number of times that certain advertisements were displayed on certain Web sites.

Thus, the more traffic to the advertisers' Web sites and display ads, the more money the hackers earned under their agreements with the ad brokers. They fraudulently increased the traffic to the Web sites and advertisements that would earn them money. They accomplished this by making it appear to advertisers that the Internet traffic came from legitimate clicks and ad displays.

To carry out the scheme, the defendants used rogue Domain Name System (DNS) servers and malware that was designed to alter the DNS server settings on infected computers. Victims' computers became infected with the malware when they visited certain Web sites or downloaded certain software to view videos online. The Malware altered the DNS server settings on victims' computers to route the infected computers to rogue DNS servers.

The re-routing took in the forms of: click hijacking and advertising replacement fraud.

Click Hijacking

When the user of an infected computer clicked on a search result link displayed through a search engine query, the malware caused the computer to be re-routed to a different Web site. Each click triggered payment to the defendants under their advertising agreements.

This click hijacking occurred for clicks on unpaid links that appeared in response to a user's query as well as clicks on sponsored links or advertisements that appeared in response to a user's query-often at the top of, or to the right of, the search results-thus causing the search engines to lose money.

Advertising Replacement Fraud

Using the DNS Changer Malware and rogue DNS servers, the hackers replaced legitimate advertisements on Web sites with substituted advertisements that triggered payments to the defendants.

As a result, the defendants and their co-conspirators earned at least $14 million in ill-gotten gains through click hijacking and advertisement replacement fraud. The Indictment further alleges that the hackers laundered the proceeds of the scheme through numerous companies including, Rove Digital, an Estonian corporation, and others listed in the Indictment.

Following are the name of the hackers who were arrested and taken into custody by the Estonian Police and Border Guard Board.

Vladimir Tsastsin, 31, Timur Gerassimenko, 31, Dmitri Jegorov, 33, Valeri Aleksejev, 31, Konstantin Poltev, 28, Anton Ivanov, 26, and Andrey Taame, 31.