FBI arrests six for DNS hijacking scam worth $14 million

Charges against six Estonian nationals and one Russian national for engaging in a massive and sophisticated Internet fraud scheme that infected with malware more than four million computers located in over 100 countries have been raised by the United States Attorney for the Southern District of New York.

Of the computers infected with malware, at least 500,000 were in the United States, including computers belonging to U.S. government agencies, such as NASA; educational institutions; non-profit organizations; commercial businesses; and individuals.

Six of the defendants, Vladimir Tsastsin, 31, Timur Gerassimenko, 31, Dmitri Jegorov, 33, Valeri Aleksejev, 31, Konstantin Poltev, 28, and Anton Ivanov, 26, all Estonian nationals, were arrested and taken into custody yesterday in Estonia by the Estonian Police and Border Guard Board. The U.S. Attorney’s Office will seek their extradition to the United States. The seventh defendant, Andrey Taame, 31, a Russian national, remains at large.

As alleged in the Indictment, from 2007 until October 2011, the defendants controlled and operated various companies that masqueraded as legitimate publisher networks in the Internet advertising industry. The publisher networks entered into agreements with ad brokers under which they were paid based on the number of times that Internet users clicked on the links for certain websites or advertisements, or based on the number of times that certain advertisements were displayed on certain websites.

Thus, the more traffic to the advertisers’ websites and display ads, the more money the defendants earned under their agreements with the ad brokers. As alleged in the Indictment, the defendants fraudulently increased the traffic to the websites and advertisements that would earn them money. They accomplished this by making it appear to advertisers that the Internet traffic came from legitimate clicks and ad displays on the defendants’ Publisher Networks when, in actuality, it had not.

To carry out the scheme, the defendants and their co-conspirators used what are known as “rogue” Domain Name System servers, and malware that was designed to alter the DNS server settings on infected computers. Victims’ computers became infected with the malware when they visited certain websites or downloaded certain software to view videos online.

The malware altered the DNS server settings on victims’ computers to route the infected computers to rogue DNS servers controlled and operated by the defendants and their co-conspirators. The re-routing took two forms: “click hijacking” and “advertising replacement fraud.”

The malware also prevented the infected computers from receiving anti-virus software updates or operating system updates that otherwise might have detected the Malware and stopped it. In addition, the infected computers were also left vulnerable to infections by other viruses.

When the user of an infected computer clicked on a search result link displayed through a search engine query, the malware caused the computer to be re-routed to a different website. Instead of being brought to the website to which the user asked to go, the user was brought to a website designated by the defendants. Each “click” triggered payment to the defendants under their advertising agreements. This click hijacking occurred for clicks on unpaid links that appear in response to a user’s query as well as clicks on “sponsored” links or advertisements that appear in response to a user’s query—often at the top of, or to the right of, the search results—thus causing the search engines to lose money.

Using the DNS Changer Malware and rogue DNS servers, the defendants also replaced legitimate advertisements on websites with substituted advertisements that triggered payments to the defendants.

The defendants’ scheme also deprived legitimate website operators and advertisers of substantial monies and advertising revenue. In addition to search engines losing revenue as a result of click hijacking on their sponsored search result listings, advertisers lost money by paying for clicks that they believed came from interested computer users, but which were in fact fraudulently engineered by the defendants. Furthermore, the defendants’ conduct risked reputational harm to businesses that paid to advertise on the Internet—but that had no knowledge or desire for computer users to be directed to their websites or advertisements through the fraudulent means used by the defendants.

Each defendant is charged with five counts of wire and computer intrusion crimes (see below chart). In addition, Tsastsin is charged with 22 counts of money laundering.

In conjunction with the Tuesday arrests, authorities in the United States seized computers at various locations, froze the defendants’ financial accounts, and disabled their network of U.S.-based computers—including dozens of rogue DNS servers located in New York and Chicago. Additionally, authorities in the United States took steps with their foreign counterparts to freeze the defendants’ assets located in other countries.

Remediation efforts were immediately undertaken to minimize any disruption of Internet service to the users of computers infected with the Malware. This remediation was necessary because the dismantling of the defendants’ rogue DNS servers—to which millions of computers worldwide had been redirected—would potentially have caused all of those computers, for all practical purposes, to lose access to websites.

The remediation effort is being carried out pursuant to the order of a Manhattan federal court judge. As part of that order, the defendant’s rogue DNS servers have been replaced with legitimate ones. Internet Systems Consortium (ISC), was appointed by the court to act as a third-party receiver for a limited period of 120 days during which time it will administer the replacement DNS servers.

Although the replacement DNS servers will provide continuity of Internet service to victims, those replacement servers will not remove the Malware from the infected computers. Users who believe their computers may be infected can find additional information at FBI.gov.

“The defendants hijacked 4 million computers in a hundred countries, including half a million computers in the United States, rerouting Internet traffic and generating $14 million in illegitimate income. The globalization of the legitimate economy was the inspiration for Thomas Friedman’s The World Is Flat. The global reach of these cyber thieves demonstrates that the criminal world is also flat. The Internet is pervasive because it is such a useful tool, but it is a tool that can be exploited by those with bad intentions and a little know-how. In this context, international law enforcement cooperation and strong public-private partnerships are absolute necessities, and the FBI is committed to both,” said FBI Assistant Director in Charge Janice Fedarcyk.

Don't miss