An Estonian man has been extradited to New York to face charges he was part of a hacking gang that infected more than 4 million computers with malware as part of a massive click-fraud scheme.
Anton Ivanov is one of seven Estonian and Russian men charged in November with operating an international conspiracy that generated $14 million in phony revenue. He arrived in New York on Thursday afternoon and appeared in federal court in Manhattan for an arraignment hearing. Five other men charged in the operation are still being held in Estonia. One man accused of participating in the fraud ring remains at large.
The US Department of Justice accused the seven men of orchestrating a far-reaching botnet scam that infected both Windows and Mac computers with malware that replaced the IP addresses of legitimate sites with those controlled by the attackers. DNS Changer, as the malware was dubbed by researchers, caused compromised machines to rely on rogue DNS servers that caused victims to view websites they never would have seen on uninfected systems. The malware also prevented them from reaching antimalware sites, making it hard for them to disinfect their machines.
The scam, which Ars covered in-depth in November, hijacked user machines when they visited booby-trapped websites or downloaded tainted software to view videos. Once on user systems, DNS Changer caused them to visit fraudulent websites that displayed ads brokered by the operators, prosecutors said.
Manhattan US Attorney Preet Bharara called it “a diabolical scheme.” In addition to replacing legitimate advertising on popular sites with fake ads, it also intercepted search engine results to get users to click to websites that counted the clicks and charged legitimate companies duped into hosting ads on the fraudulent sites for the inflated page views.
In its Thursday statement, the US Attorney's office gave examples of some of the click-fraud situations that malware-infected computers served. In ad-replacement fraud, users visiting the Wall Street Journal saw ads for “Fashion Girl LA” rather than the proper American Express Plum Card ad, and visitors to Amazon.com saw ads for an e-mail marketing business rather than the Internet Explorer 8 ad that was supposed to render. In search engine-fraud, users trying to access the official Apple-iTunes link through a search engine were redirected to an unaffiliated Apple software company, and users searching for the IRS were redirected to H&R Block.
Because the malware changed the DNS settings on infected computers, the Justice Department requested that the rogue servers be, replaced with legitimate ones administered by the non-profit Internet Systems Consortium for 120 days. A later order extended the period of operation for another 120 days, ending on July 9, 2012, so as not to force blackouts on victims of the attacks without warning.
Ivanov is 27 and if convicted faces a maximum sentence of 85 years in prison for five counts of wire fraud, and computer intrusion conspiracy. The malware which infected machines in 100 countries, was found on NASA and other government-controlled computers. Servers implicated in the crime were seized in Chicago and New York.