An Eastern European pack of cyber thieves known as the Rove group hijacked at least four million computers in over 100 countries, including at least half a million computers in the U.S., to make off with $14 million in “illegitimate income” before they were caught, federal officials announced today.
The malware allegedly used in the “massive and sophisticated scheme” also managed to infect computers in U.S. government agencies including NASA and targeted the websites for major institutions like iTunes, Netflix and the IRS — forcing users attempting to get to those sites to different websites entirely, according to a federal indictment unsealed in New York today.
The accused hackers, six Estonian nationals and a Russian national, rerouted the internet traffic illegally on the infected computers for the last four years in order to reap profits from internet advertisement deals, the indictment said. The FBI busted up the alleged international cyber ring after a two-year investigation called Operation Ghost Click.
“The global reach of these cyber thieves demonstrates that the criminal world is… flat,” said Janice Fedarcyk, the FBI Assistant Director in charge of the New York field office. “The Internet is pervasive because it is such a useful tool, but it is a tool that can be exploited by those with bad intentions and a little know-how.”
Though they operated out of their home countries, the alleged hackers used entities in the U.S. and all over the world — including Estonia-based software company Rove Digital from which the group apparently gets its name — to carry out the plot.
According to the indictment, the suspects entered into deals with various internet advertisers in which they would be paid for generating traffic to certain websites or advertisements. But instead of earning the money legitimately, the FBI said the defendants used malware to force infected computers to unwillingly visit the target sites or advertisements — pumping up click results and, therefore, ill-gotten profits to the tune of $14 million.
The malware was also designed to prevent users from installing anti-virus software that may have been able to free the infected computers.
The six Estonian nationals have been arrested on cyber crime charges while the Russian national remains at large.
“Today, with the flip of a switch, the FBI and our partners dismantled the Rove criminal enterprise,” Fedarcyk said. “Thanks to the collective effort across the U.S. and in Estonia, six leaders of the criminal enterprise have been arrested and numerous servers operated by the criminal organization have been disabled.”
How the Fraud Worked, According to the FBI
The indictment describes several examples of alleged cyber fraud including two principle strategies: traffic redirection and ad replacement.
In the first case, if a user searched for the websites of major institutions like iTunes, Netflix or the IRS, the search results would return normally. However, if the user tried to click on the link to the websites, the malware on the computer would force a redirect to a different website where the criminals would profit in their advertisement deal.
In the second, when an infected computer visited a major website — like Amazon.com — the malware would be able to simply replace regular advertisements on that page with advertisements of their own making.