FBI Dismantles International Cyber Crime Group

Published: 10 November 2011

By

Six Estonian nationals were arrested on Tuesday in connection with a sophisticated cyber theft scheme. An additional suspect, a Russian national, is still at large. The arrests came after a two year FBI investigation, Operation Ghost Click, which was conducted with the help of numerous international agencies and private sector parties.

The federal indictment unsealed in New York on Wednesday states that since 2007 the suspects have infected some 4 million computers worldwide with malware that enabled them to control web traffic on infected machines, as well as to manipulate the web advertising industry. Besides personal and business-owned computers, the hackers also infected machines belonging to NASA.

According to an FBI agent who participated in the operation, there was a level of complexity to this scheme that the Bureau has not encountered before. The seven suspects remotely used entities in the U.S. and around the world, to carry out the scheme. Among the entities used is an Estonia-based software company, Rove Digital, after which the group was named.

The type of malware used by the Rove group belongs to the class of DNS changers. When users of infected computers clicked a legitimate link, such as that for iTunes, they were redirected to rogue web sites that claimed to be selling Apple products. Additionally, the malware was used to replace legitimate advertisements on sites such as Amazon.com with fraudulent ones. This advertising scheme earned the thieves approximately $14 million. Netflix and IRS web sites were similarly affected.

Once installed, the malware prevented the installation of anti-virus programs that could remove it, consequently making the infected machines vulnerable to numerous other virus attacks.

Throughout the Operation Ghost Click, the FBI collaborated with NASA’s Office of Inspector General (OIG), the Estonian Police and Border Guard Board, National High Tech Crime Unit of the Dutch National Police Agency, Georgia Tech University, Internet Systems Consortium, Mandiant, National Cyber-Forensics and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, University of Alabama at Birmingham and an ad hoc group known as the DNS Changer Working Group (DCWG).

The U.S. will seek extradition of the six arrested Estonian nationals.