FBI Busts 6 in Rogue DNS Scheme
Yesterday the FBI officially announced that a group of 6 Estonians had been arrested and charged with a cyber scheme that had begun in 2007 and netted the criminals more than $14 million. The campaign has been dubbed "Operation:GhostClick"
The group managed to set up several Publisher Networks which can be, though not in this case, legitimate third party companies that web site owners hire to fill their ad space while they worry about their own content. Advertisers will approach these companies to help sell their ads to web sites. These third party companies then often band together and form networks through which they share ads between themselves and their specific clientele. When an ad is clicked, everyone down the line gets their fair share. Unfortunately for legitimate advertisers, this group was not collecting their fair share, but instead generating millions of unique clicks from stolen sources.
The fraud ring used a combination of two techniques to accomplish their goals. One was Click-jacking, and the other, Advertising Replacement Fraud. First, Click-jacking occurs when someone browsing a website intends on clicking on a link or an ad that they're interested in, but when they do they are instead re-routed to a different website. For example, in this case, one of the ads offered up to browsers was a link to the official iTunes Store (a hover over with the mouse would show the legitimate site as well); however when users clicked on the link, it would then take them to false Apple sites instead. At this point the "click" would be counted towards the fake site where the users ended up, and therefore generated money to the fraud ring.
Advertisement Replacement Fraud occurs when legitimate ads on legitimate sites are instead replaced with ads that the criminals want to display instead. This is used to place the fraudulent ads on popular high volume websites where the chance of click throughs rise exponentially. An example of this occurring in this case is when and ad for the American Express "Plum Card" on the home page of the Wall Street Journal was replaced with an ad for "Fashion Girl LA". Clicks on these links also generated cash for the bad guys.
This group was able to accomplish all of this by infecting their victims' computers with malware designed to alter their DNS settings. The Domain Name System is essentially the telephone book of the Internet. Computers don't necessarily know how to get to www.google.com for example, instead, when a user types it into their browser, their computer will then take a look at their local DNS entry for Google.com and see that it actually resides at the IP address of 18.104.22.168 (or one of several others). From there it can direct the browsers to the correct place. The bad guys were able to point their victims to DNS servers that contained improper IP addresses for legitimate sites, thereby sending victims through their fake sites, which in turn generated money for them in the form of advertising clicks, instead of sending victims to where they actually intended on ending up.
The FBI has estimated that over 4 million computers were infected by this group in 100 different countries, with at least 500,000 in the US alone. The FBI has offered this document to tell if your DNS settings have been altered:
If they have though, simply changing them won't be enough, as the malware used to change them in the first place will likely still be on the infected machine. The malware prevented the installation of new anti-virus and operating system updates on its host machine in order to allow it to remain functional. The best bet for victims is to make sure that their local anti-virus is up to date and attempt a scan and clean on their systems. It may also be a good idea to try to attempt a third party web-based anti-virus scan on their machine, making sure the proper DNS settings are in place at the time.