cyber crimeSeven Eastern European men have been charged in New York with 27 counts of wire fraud and other computer-related crimes, alleging that the group hijacked 4 million computers across 100 countries in a sophisticated clickjacking scheme in order to hijack surfers trying to get to the iTunes store or the IRS. The enterprise allegedly netted the crooks more than $14 million.

Vladimir Tsastsin, Timur Gerassimenko, Dmitri Jegorow, Valeri Aleksejev, Konstantin Poltev and Anton Ivanov of Estonia and Andrey Taame of Russia have been charged with 27 counts of wire fraud and other computer-related crimes.  "The six Estonian defendants have been arrested by the Estonian police and the US is seeking to extradite them. Taame remains at large," said Preet Bharara, United States attorney for the Southern District of New York, in a press conference held in New York.

The scam appears to have started in 2007 and involved six Estonians and one Russian, all operating from Eastern Europe, which operated by running a bogus online ad agency and entering into agreements with online ad providers that would pay the group whenever its ads where clicked on by users. The group planted malware on millions of computers around the world that would redirect the computers' browsers to its advertisements, thereby generating huge illegal revenue.

It worked like this: you would do a search for popular site, such as Amazon, Apple, iTunes and so on. Whenever you clicked on the provided link, however, the browser would be redirected to another website, one that the group was paid to generate traffic for.  The bogus agency contracted with online advertisers who would pay a small commission each time users clicked on their ads, or landed on their website.  The malware was called DNSChanger and it altered the DNS server settings on target machines in order to direct victims’ browsers to a DNS server controlled by the defendants, which then directed browsers to sites that would pay a fee to the defendants. 

In order to redirect browser requests from your computer, the group set up dummy DNS (Domain Name System) servers, located in data centers in New York and Chicago. "The malware changed the DNS settings so the infected computers' (requests for website addresses) were routed not to legitimate DNS servers but to DNS rogue servers operated by the defendants," Bharara said. "The defendants' plan was to infect computers, direct them to servers they controlled, then redirect traffic to unintended websites, and reap a financial windfall from this redirected traffic.

Some examples of the scam are: An infected user who searched for Apple’s iTunes store and clicked on the legitimate Apple link at the top of the page would be directed instead to, a site claiming to sell Apple software. Users trying to access the US government’s Internal Revenue Service site were redirected to a web site for H & R Block, a top tax preparation business in the U.S. The suspects received a fee for every visitor directed to the site.  As Bharara said "Some of the website redirections were to websites of legitimate businesses. In these cases, such businesses, assuming they were paying for legitimate services to boost traffic, were unwitting victims in the fraud."

In order to optimise their revenue, they would block your antivirus software updates, which you vulnerable to other attacks as well, according to the US Department of Justice.

Even NASA was infected.  That is how the scam was detected.  They had 130 computers running the malware, according to NASA Inspector General Paul Martin, who also spoke at the press conference. While NASA continues to investigate the malware, the agency does not think that any of its critical operational systems were compromised by this software, Martin said.

The Federal Bureau of Investigation has dismantled the group's network, replacing its DNS servers with clean ones so that user disruption would be minimised. The FBI also provided Internet service providers with lists of which of their customers had the malware. The agency also set up a page with instructions on how to cleanse computers of the malicious software.

Now, check to see have you been infected.

First published on 11-11-11


Office Premises
Synergy House
10, Oakview Drive
Dublin 15

Contact Info

Tel: +353 (0)1 8215189
Mobile: +353 (0)87 2326927

Find Us