The U.S. Department of Justice on Wednesday announced indictments against seven Europeans it said operated a massive online fraud scheme that made them $14 million by infecting millions of computers worldwide with malware that redirected Internet searches to fake sites. The feds said six Estonians had been arrested in so-called clickjacking scheme, and one Russian was at large. The suspects allegedly infected four million computers in 100 countries from 2007 to 2011. Among them: 500,000 in the United States including some at NASA. The massive indictment details the alleged scheme, which U.S. Attorney Preet Bharara called "likely just the tip of the Internet iceberg." It's a complicated-seeming bit of alleged hacking, but in fact, it's not too hard to get your head around once it's broken down.
The alleged online crime ring actually used two scam methods, investigators said. In one, known as clickjacking, web users were allegedly redirected to sites they didn't intend to visit, so that fraudulent ad-sales companies operated by the defendants could record more traffic, thus increasing their ad revenue. In another, the suspects allegedly replaced legitimate ads on existing websites with their own fake ones, gleaning traffic and, in turn, revenue.
In order to understand clickjacking, you have to understand just a little about how a domain name system server works. How Stuff Works has a good basic explanation:
Its basic job is to turn a user-friendly domain name like "howstuffworks.com" into an Internet Protocol (IP) address like 188.8.131.52 that computers use to identify each other on the network. It's like your computer's GPS for the Internet.
Computers and other network devices on the Internet use an IP address to route your request to the site you're trying to reach. This is similar to dialing a phone number to connect to the person you're trying to call. Thanks to DNS, though, you don't have to keep your own address book of IP addresses. Instead, you just connect through a domain name server, also called a DNS server or name server, which manages a massive database that maps domain names to IP addresses.
In the clickjacking scheme, hackers allegedly wrote malicious code that would find its way into victims' computers through websites or downloads, Bharara explained. Once on a victim's computer, the code would "change the DNS server settings so that infected computers were routed not to legitimate DNS Servers, but to rogue servers controlled and operated by the defendants in New York, Chicago, and elsewhere," Bharara said. The rogue servers took victims to sites where the suspects had sold advertisements. An FBI press release has some examples:
- When the user of an infected computer clicked on the domain name link for the official website of Apple-iTunes, the user was instead taken to a website for a business unaffiliated with Apple Inc. that purported to sell Apple software.
- When the user of an infected computer clicked on a domain name link for Netflix, the user was instead taken to a website for an unrelated business called “BudgetMatch.”
- When the user of an infected computer clicked on the domain name link for the official government website of the Internal Revenue Service, the user was instead taken to the website for H&R Block, a major tax preparation business.
The other part of the scam, known as advertising replacement fraud, is far more straightforward. In it, the hackers allegedly used their control over DNS servers to replace real ads on legitimate websites with fakes that basically squatted the space and reaped the payout from the traffic. They had some high-profile victims, according to that same press release -- ones that maybe should have known better:
- When the user of an infected computer visited the home page of the Wall Street Journal, a featured advertisement for the American Express “Plum Card” had been fraudulently replaced with an ad for “Fashion Girl LA.”
- When the user of an infected computer visited the Amazon.com website, a prominent advertisement for Windows Internet Explorer 8 had been fraudulently replaced with an ad for an email marketing business.
- When the user of an infected computer visited the ESPN website, a prominent advertisement for “Dr. Pepper Ten” had been fraudulently replaced with an ad for a timeshare business.
The final slap in the face, according to prosecutors, is that the malware the hackers allegedly wrote and distributed prevented virus software from receiving updates, leaving them vulnerable indefinitely. Fortunately, the FBI says it put a stop to the scams in October, and it got a court order to swap out infected DNS servers in the United States overnight on Tuesday. But despite that, knowing how easy it is for malicious code to get onto one's computer and make it do things is still creepy.
This article is from the archive of our partner The Wire.