FBI 'Operation Ghost Click' raid shuts down cyber criminals
SIX men have been arrested as part of an international FBI operation that is being described as the biggest cyber criminal takedown in history.
The gang of six Estonians - and a Russian who remains at large - are accused of running a botnet of more than four million virus-infected computers in 100 countries.
They allegedly used their control of the machines to redirect users from websites such as Apple's iTunes Store and Amazon to ones that would serve up advertising, for which the gang would receive a referral fee. The "click-jacking" fraud netted almost £9m over four years, according to the US indictment.
The FBI's two-year investigation was dubbed "Operation Ghost Click". It culminated with the arrest of the Estonians on Tuesday in cooperation with local police. The men now potentially face decades in prison on charges of fraud and computer intrusion.
“These defendants gave new meaning to the term ‘false advertising'," said Manhattan US Attorney Preet Bharara.
"As alleged, they were international cyber bandits who hijacked millions of computers at will and re-routed them to websites and advertisements of their own choosing, collecting millions in undeserved commissions for all the hijacked computer clicks and internet ads they fraudulently engineered."
The gang allegedly gained control of computers by infecting them with malware called DNSChanger. It allowed them to modify browser settings on Windows machines to redirect traffic to advertisers. The virus was first detected on the NASA computer network.
Trend Micro, a security firm that provided intelligence to the FBI investigation, said it had traced the fraud to and Estonian company called Rove Digital.
"Rove Digital is a seemingly legitimate IT company based in Tartu with an office where people work every morning," said senior threat researcher Feike Hacquebord.
"In reality, the Tartu office is steering millions of compromised hosts all over the world and making millions in ill-gained profits from the bots every year."
The "command and control" servers used to operate the four-million-strong botnet have been taken out of action. Trend Micro has also posted advice on how to detect and remove DNSChanger.