A massive investigation by the FBI, international law enforcement agencies, private industry, and nongovernment organizations has led to the charging of seven Estonian and Russian citizens for a widespread click fraud scheme that had infected more than 4 million computers and netted the group more than $14 million, the FBI said on Wednesday.
Using malware known as DNSChanger, the group allegedly altered the domain name servers on infected machines, essentially redirecting requests for website addresses through a network of criminal-controlled servers for four years. The group used the malware and servers to create false advertising clicks to businesses that paid affiliate fees, defrauding the firms. The Estonian police arrested the six Estonian nationals on Tuesday, while the sole Russian suspect remained at large.
A list of the organizations involved in the investigation, dubbed Operation Ghost Click, underscores the level of cooperation needed to prosecute cyber criminals: the FBI, the Estonian Police and Border Guard, the Dutch National Police, the NASA Office of the Inspector General, and private companies and universities such as Georgia Tech University, the Internet Systems Consortium, Mandiant, and Team Cymru.
"In this context, international law enforcement cooperation and strong public-private partnerships are absolute necessities," Janice K. Fedarcyk, assistant director-in-charge for the FBI, said in a statement.
The cross-sector cooperation even went as far as the remediation effort. The takedown of the control servers for the fraudulent DNS network would have likely resulted in the infected computers being cut off from the Internet until a knowledgeable person reset the compromised computer's lists of DNS hosts, the FBI has stated. In this case, the rogue DNS servers were replaced by legitimate units run by the Internet Systems Consortium, the nonprofit company that develops the widely used BIND domain name system software.