The malicious software infected four million computers worldwide

7 Charged in Web Scam Using Ads

- By SOMINI SENGUPTA and JENNA WORTHAM - The New York Times - November 9, 2011

It was a subtle swap: a cheesy advertisement for a vacation timeshare site atop the home page of ESPN.com, in a spot that might have been claimed by a well-known brand like Dr Pepper.

Those who saw swapped ads, federal prosecutors say, might never have known that their computer had been drawn into a complex Internet advertising scam that they say generated $14 million for its creators.

Over the last four years, a group of men in Eastern Europe quietly hijacked millions of computers worldwide and diverted unsuspecting users to online advertisements from which they could profit, federal law enforcement officials said on Wednesday.

Six men, all in their 20s and early 30s, are under arrest in Estonia for what the United States attorney’s office in New York called “a massive and sophisticated Internet fraud scheme.” A Russian suspect in the case remains at large.

The malicious software infected four million computers worldwide, including 500,000 in the United States, the prosecutors said. The software was so subtle that most people using an infected computer were probably unaware of it.

It was a two-pronged scheme, prosecutors said. One component involved redirecting clicks on search results to sites that were controlled by the defendants. A search for “I.R.S.,” for instance, would lead a user to the Web site of the tax preparer H&R Block. The sites to which users were directed would pay the swindlers a referral fee, prosecutors said. The more traffic they could redirect, the more fees they collected.

The other way the group made money, according to the indictment, was to swap legitimate online advertisements on certain Web sites with others that would generate payments for the defendants. Prosecutors said that Web sites for ESPN and The Wall Street Journal were affected — but only when viewed on the infected computers.

“On a mass scale, this gave new meaning to the term false advertising,” Preet Bharara, the United States attorney for the Southern District of New York, said at a press conference in Manhattan.

The security firm Trend Micro, which was among several private companies that helped federal officials with the investigation, called it the “biggest cybercriminal takedown in history.” The group running the scheme had 100 command-and-control servers worldwide, the company said, one of which was in a data center run in New York.

The scheme came to light after 100 computers at the National Aeronautics and Space Administration were found to have been infected. The malicious software spread through infected Web sites.

The most serious aspect of the scheme was that it attacked part of the scaffolding of the Internet: the domain name system, or D.N.S., which links the numerical addresses of Web sites with more user-friendly addresses like irs.gov.

“When people start attacking infrastructure, it creates the potential for a rogue version of the Internet,” said David Dagon, a computer security expert at the Georgia Tech College of Computing who helped federal authorities in the investigation.

Unlike more traditional malware that ferrets out valuable personal information, the group’s program was not designed to steal data, so it was not easily detected, private security consultants said. It manipulated the infrastructure of the Web to do what it does every day in great volumes: display advertising.

All six of the Estonian defendants were in the custody of Estonian police. Four of them also face charges in that country. One of them, Vladimir Tsastsin, 31, has been previously convicted of money laundering in Estonia, according to the Federal Bureau of Investigation. He is identified with a company called Rove Digital, which investigators say ran the operation’s infrastructure.

According to the indictment, the malware also staved off antivirus software updates, which meant that an infected computer could not detect that it was infected. This also made the machine vulnerable to other security bugs.

The malware affected both Windows and Mac operating systems. On its web site, the F.B.I. outlines how to detect this particular program and how to get rid of it.

Mr. Bharara described the scheme as “cyber infestation of the first order” that reflected the global nature of Internet fraud.