The U.S. Department of Justice (DoJ) indicted seven people — six Estonian nationals and one Russian national — today for a computer intrusion scheme under which they allegedly took control of more than four million computers in more than 100 countries to hijack Internet searches and reroute them to particular Web sites and ads.
The defendants include Vladimir Tsastisin (31), Timur Gerassimenko (31), Dmitri Jegorov (33), Valeri Aleksejev (31), Konstantin Poltev (28) and Anton Ivanov (26), all Estonian nationals who were arrested and taken into custody Tuesday by the Estonian Police and Border Guard Board. Andrey Taame (31), the seventh defendant and a Russian national, remains at large, according to the DoJ.
Each defendant has been charged with five counts of wire and computer intrusion crimes. Tsastisin has also been charged with 22 counts of money laundering. The U.S Attorney’s Office said it would seek their extradition to the U.S.
“These defendants gave new meaning to the term ‘false advertising,'” said Manhattan U.S. Attorney Preet Bharara. “As alleged, they were international cyber bandits who hijacked millions of computers at will and rerouted them to Internet Web sites and advertisements of their own choosing—collecting millions in undeserved commissions for all the hijacked computer clicks and Internet ads they fraudulently engineered. The international cyber threat is perhaps the most significant challenge faced by law enforcement and national security agencies today, and this case is just perhaps the tip of the Internet iceberg. It is also an example of the success that can be achieved when international law enforcement works together to root out Internet crime. We are committed to continuing our vigilance and efforts—it is essential to our national security, our economic security and our citizens’ personal security.”
Under the scheme, the seven defendants allegedly infected more than four million computers around the world — at least 500,000 of them in the U.S., including computers belonging to government agencies like NASA — with malware between 2007 and October 2011. The malware altered DNS server settings on the infected computers and then routed the infected computers to rogue DNS servers allegedly controlled and operated by the defendants and their coconspirators. The DoJ said the rerouting used click hijacking and advertising replacement fraud to send infected computers to the sites and ads the defendants desired. The DoJ said the malware also prevented the installation of antivirus software and operating system updates on infected computers.
According to FBI Assistant Director in Charge Janice K. Fedarcyk, the defendants allegedly generated $14 million in illegitimate income through the scheme. The indictment said the defendants allegedly laundered that money through numerous companies, including Rove Digital, an Estonian corporation.
The DoJ said that as part of Tuesday’s arrests, U.S. authorities seized computers at various locations, froze financial accounts and disabled a network of US-based computers, including dozens of rogue DNS servers in New York and Chicago.
News of the indictment comes just as Clearwater, Fla.-based security firm GFI Labs released its VIPRE Report, a compilation of the 10 most prevalent threats detected in October, including a rogue Web browser, a fake hacking tool for Gmail account password recovery and malware disguised as ads on Yahoo! and Bing.
“The threats uncovered in October again demonstrate how cybercriminals prey on users’ inexperience and carelessness,” said Christopher Boyd, senior threat researcher at GFI Software. “They count on users being too excited by an exclusive offer or too trusting of online advertising to do their due diligence. Whether users are downloading software or inputting personal information online, they should always do everything they can to verify that they are visiting a legitimate Web site and not a well-crafted forgery.”