Internet Law

Feds Charge 7, Shut Down 100 Rogue Servers, Allege Massive 'Click Hijack' Malware Scheme

Officials say a massive “click hijack” malware scheme affecting 4 million computers and 500,000 individuals, businesses and even government agencies in 100 countries including the United States has been shut down by U.S. authorities working cooperatively with Estonia.

Trend Micro’s Malware Blog is calling the raid the biggest cybercriminal takedown ever.

The alleged scheme used 100 rogue servers in Chicago, New York and other American cities to redirect computer users to advertising unrelated to the links on which they clicked (hence, the claimed “click hijack”), reports Bloomberg.

It also allegedly involved switched website ads; individuals seeking to view an American Express ad on the Wall Street Journal’s site, for example, clicked on it only to see a “Fashion Girl LA” ad. Such switches earned millions for the perpetrators of the scheme.

Seven individuals, all but one of them from Estonia, were charged in conspiracy and wire fraud in a federal indictment that was announced today. The six Estonians were arrested yesterday and a Russian is still being sought.

“We believe this criminal case is the first of its kind and arises from a cyber infrastructure of the first order,” said U.S. Attorney Preet Bharara in Manhattan, N.Y. “The defendants were cyber-bandits who hijacked those computers at will, controlling and masquerading as legitimate Internet websites.”

Although downloading software to view videos online infected some computers, officials other users were hijacked when they were looking for Internal Revenue Service sites, Bloomberg reports.

The malware not only made it difficult for anti-virus software to detect the intrusion but blocked updates to the protective software, thus leaving infected computers vulnerable to further intrusions, the article says.

An Estonian company, Rove Digital, with a bricks-and-mortar operation in Tartu is allegedly behind the operation. This was a new paradigm, an unidentified government agent who worked on the investigation said in an FBI press release about the two-year “Operation Ghost Click” probe.

“They were organized and operating as a traditional business but profiting illegally as the result of the malware,” said the agent, referring to the Estonian company. “There was a level of complexity here that we haven’t seen before.”

Bharara said law enforcement officials focused on the scheme after infected computers were found at the National Aeronautics and Space Administration. An investigation then determined the alleged culprits, reports the New York Times (reg. req.).

“The modern high-tech heist does not require any longer a gun, a mask, a note or a getaway car.It requires only the Internet and ingenuity, and can be accomplished in the blink of an eye and the click of a mouse, and at a distance of thousands of miles,” he said, adding: “What we see in cases like today’s is likely just the tip of the Internet iceberg,”

Individual users affected by the scheme may not have noticed the shutdown of the rogue servers, because they have reportedly been replaced with clean servers under the oversight of t, U.S. District Judge William Pauley in New York.

The Financial Times (sub. req.) and PC Magazine also have stories.

The articles don’t include any comment from the defendants or their counsel.

Updated at 7:30 p.m. to include New York Times coverage.

We welcome your comments, but please adhere to our comment policy and the ABA Code of Conduct.

Commenting is not available in this channel entry.