The FBI and security software company Trend Micro exposed a cyber criminal string that was rerouting nearly 4 million people to compromised websites without their knowledge.
The attack was focused on domain name systems (DNS), which changes original IP addresses, rerouting a person to an unsecured website before they even know they’ve been whisked away. A group of six people from Estonia decided to use this attack, called a DNSChanger, to redirect people from advertisements they believed were innocuous to websites created by the six. The point? To steal ad revenue from the companies that placed the ads on the site.
Through this scheme, which Trend Micro’s advanced threats researcher Paul Ferguson says began in 2006, the Estonian group was able to affect upwards of 4 million people. They were so successful, the team created a company around the scam named Rove Digital. It was headed by Vladimir Tsastsin (pictured above, left), who took on the role of chief executive officer.
“They won IT company of the year!” said Ferguson in an interview with VentureBeat. “It’s the irony of ironys.”
Intercepting ad revenue became extremely lucrative for Rove Digital, raking in at least $14 for the company, according to Ferguson. In fact, he says “$14 million is a low estimate,” since they simply cannot find the rest of the money.
Tsastsin had run-ins with the law prior to his involvement with Rogue Digital, according to Ferguson. He ran a domain registrar, from which he was convicted of credit card fraud. When Trend Micro employees first noticed the Rogue DNS infrastructure, it took them a while to “connect the dots.” But once they connected them, it led straight to Tsastsin, which set off alarms.
Federal law enforcement got involved in 2007, kicking off a long and tedious investigation the FBI called Operation Ghost Click. A number of international organizations were on board, which required much communication and detailed follow ups before the FBI could take any action against Rogue DNS.
Once it did, it ended a botnet scam that had reached people in more than 100 countries. In the U.S., more than 500,000 people were affected, including government agencies such as NASA. Because of the size of this attack, Trend Micro and the FBI have released a way to check if you’ve been affected. You can find it here, below are instructions for Mac users:
- Click on the Apple icon at the top left of your screen
- Select “System Preferences”
- Select the “Network” icon
- Once open, select the currently active network connection in the left column, and “DNS” in the right
- Note the DNS server addresses your computer is approved to use
- Cross check them in this form, which will tell you if it is a criminal address.
If you your DNS address is bad, Trend Micro will sweep your computer for you. You should also alert the FBI with this form.
Ferguson says beyond criminal activity, it could just be a culture issue. “A lot of [post Soviet Union countries’] ‘it’s just business’ attitude extends to what most of the rest of the world calls criminal activity.”
[Image via Trend Micro]