The U.S. charged seven people with a “massive” computer intrusion scheme that used malicious software to manipulate online advertising, diverted users to rogue servers and infected more than 4 million computers in more than 100 countries.
One Russian and six Estonians were charged with wire fraud and conspiracy in a 27-count indictment unsealed today by Manhattan U.S. Attorney Preet Bharara. The cyber-hijacking victims included at least a half million individuals, businesses in the U.S. and government agencies, including the National Aeronautics and Space Administration, Bharara said.
Over at least four years, an information technology company based in Estonia made millions of dollars by manipulating the Internet searches of infected computers, redirecting users to sites they never intended to visit or swapping out advertisements on web pages, according to the indictment.
“We believe this criminal case is the first of its kind and arises from a cyber infrastructure of the first order,” Bharara said. “The defendants were cyber-bandits who hijacked those computers at will, controlling and masquerading as legitimate Internet websites.”
The criminal investigation started about two years ago after NASA discovered a virus on more than 100 of its computers, said Paul Martin, NASA’s inspector general. Bharara said the government “pulled the plug” yesterday at 3 a.m. on rogue data servers the hackers used in New York, Chicago and other U.S. cities. The government is seeking forfeiture of at least $14 million allegedly generated by the scheme.
Malicious software, also known as malware, was typically placed on computers after Internet users visited certain websites or downloaded software to view videos online, authorities said.
Users of infected computers were surreptitiously directed from legitimate websites to rogue computer servers, called “click hijacking,” thereby generating revenue for the defendants’ multibillion dollar Internet advertising business, the U.S. said.
For example, a user with an infected computer might perform a Google search for “iTunes” and click on the resulting link to Apple Inc.’s iTunes, only to be sent to another site, the U.S. said. The malware also “hijacked” people looking for the Netflix Inc. and Internal Revenue Service sites, according to the indictment.
In another scheme that used what prosecutors called rogue domain name server malware, the hackers allegedly replaced legitimate Internet ads with substitutes that triggered millions of dollars of advertising payments for themselves. They made money after a user was diverted to another ad and clicked on it, authorities said.
The indictment cited as an example an American Express ad for the Plum Card on the Wall Street Journal’s home page that was instantly replaced, when users clicked on it, by an ad for “Fashion Girl LA.”
The malware was designed to thwart detection and prevent the installation of anti-virus software updates, prosecutors said. This left the victims’ infected computers vulnerable to further intrusions and to theft of personal and financial information stored there.
Martin, the NASA inspector general, said that the agency hasn’t found any evidence that the malware affected operations or compromised its scientific research.
NASA worked with Bharara’s office and agents with the Federal Bureau of Investigation in New York, which has made computer fraud a priority, said Janice Fedarcyk, supervisor of the bureau’s New York office.
“In his 2005 book, ‘The World is Flat,’ Tom Friedman was writing primarily about the globalization of the legitimate economy in the 21st Century,” Fedarcyk said today. “By identifying subjects in Estonia who caused a server in Manhattan to direct a user in Germany to a website in California, the FBI has proved the world is truly flat.”
The defendants include a Russian national residing in his home country, while the others charged today are residents of Estonia, Bharara said. He said the U.S. will seek extradition of the six people arrested in Estonia by authorities there. The Russian national, Andrey Taame, 31, remains at large, he said.
FBI officials said that they participated in the arrests and execution of search warrants in Estonia at that government’s request. Estonia has agreed to extradition of cyber criminals to the U.S. on two previous occasions, the FBI said.
The most serious charges in the indictment, wire fraud and money laundering, carry a maximum penalty of 30 years in prison, according to the statement.
The Estonian company behind the scheme is called Rove Digital, a seemingly legitimate information technology firm based in Tartu, Estonia, according to the Tokyo-based cyber security firm Trend Micro Inc., which aided in the U.S. investigation.
Federal authorities raided two data centers in New York City and Chicago, shutting down more than 100 servers used to manage the operation, according to a Trend Micro blog post published today.
Despite Rove Digital’s alleged heavy involvement in cybercrime, it operated openly for years out of a office building in Tartu, Trend Micro said. Among its subsidiaries is a company called Esthost, a webhosting services reseller, as well as Estdomains, Cernel, UkrTelegroup and others, according to the Trend Micro report.
At the government’s request, U.S. District Judge William Pauley in New York appointed an independent receiver to replace the defendant’s “unplugged ‘bad’ servers with clean, good servers so that Internet life can go back to normal for the affected users,” he said. As a result, infected computer users’ Internet service was re-routed through “clean” servers without any interruption, authorities said.
Fedarcyk advised those concerned that their computer had been infected to visit the FBI’s website: fbi.gov/scams-safety/computer_protect.
FBI officials said they are now in the process of working with 32,000 Internet service providers worldwide, who in turn may notify individual victims.
The case is U.S. v. Tsastsin, 11-cr-878, U.S. District Court, Southern District of New York (Manhattan).