FBI Shuts Down Massive Internet Fraud Ring
Six Estonian nationals were arrested and charged in an "intricate national conspiracy conceived and carried out by sophisticated criminals," Janice Fedarcyk, director of the FBI's New York office said in a statement. A seventh suspect, a Russian national, remained at large.
The FBI announced the arrest Wednesday after the unsealing of a federal indictment against the suspects, who were the center of a two-year FBI investigation called Operation Ghost Click.
Starting in 2007, the cyber ring used malware called a DNSChanger to infect 4 million computuers in 100 countries. A half million computers owned by individuals, businesses and government agencies, including the National Aeronautics and Space Administration, were infected in the U.S.
The DNSChanger was installed in victims' computers when they visited certain malicious Websites or download certain software to view online video. Once installed, the malware changed a computer's network configurations, so instead of communicating with servers of an Internet service provider, the computer was redirected to a server controlled by the ring. As a result, when users of infected computers clicked on a search result link they were re-routed to a Website designated by the suspects, the FBI said.
Those sites typically paid the ring for having traffic directed to them from search links or had advertisers that paid the ring for clicks. The illicit operation disguised itself as a legitimate business called the Publisher Network. The company had agreements with ad brokers who paid based on the amount of traffic generated.
For example, victims looking for Apple's iTunes store were directed to a site claiming to sell Apple software. Clicking on a link for Netflix took the user to the site of an unrelated business called "BudgetMatch," and clicking on the site of the Internal Revenue Service landed the victim on the site of tax preparer H&R Block.
To garner cash from Web advertising, the ring would replace ads on legitimate web sites with ones from their clients. For example, an American Express card ad on "The Wall Street Journal" site was replaced with an ad for "Fashion Girl L.A." An ad on Amazon.com for Windows Internet Explorer 8 was replaced with an ad for an e-mail marketing business. On the ESPN site, an ad for Dr. Pepper Ten was replaced with a timeshare business.
The ring also laundered money through numerous companies, including Rove Digital, an Estonian corporation, according to the indictment. "There was a level of complexity here that we haven't seen before," an unidentified agent in the FBI release said.
Estonian police arrested the six suspects Tuesday. They were identified as Vladimir Tsastsin, 31; Timur Gerassimenko, 31; Dmitri Jegorov, 33; Valeri Aleksejev, 31; Konstantin Poltev, 28; and Anton Ivanov, 26. The seventh suspect who remained at large was Andrey Taame, 31. Each of the seven defendants are charged in the indictment with five counts of wire and computer intrusion crimes. Tsastsin is also charged with 22 counts of money laundering. U.S. authorities will seek permission to try the men in U.S.
U.S. authorities have disabled the network of U.S.-based computers used in the ring, including dozens in New York and Chicago. The defendants' financial assets have been frozen in the U.S., and authorities are looking to do the same in other countries. The ring's computers are being replaced with legitimate systems to prevent victims from losing Internet access.