‘Operation Ghost Click’ Biggest Cyber-Bust Ever?

Written by Malcolm James on November 17, 2011

With Christmas just around the corner, the FBI can’t be accused of waiting until the last minute to get their Christmas shopping done. This week, the U.S. law enforcement agency – in partnership with several U.S.-based and international agencies – gave users around the world an early present when it announced the culmination of a two year operation dubbed ‘Operation Ghost Click’, which netted the Feds six Estonian nationals and saw the Christmas tree lights yanked on the infamous DNSChanger malware scam.

It’s been a busy year for the law enforcement community and its ongoing war against Internet crime, which has experienced some success with the takedown of two major botnets in Rustock and Coreflood. But global law enforcement agencies have frantically been creating a shopping list of new targets for investigation, which undoubtedly include a carousel of security breaches, both in major corporations and government departments, the wafting scent of state-sponsored and industrial hacking, the persistent and growing threat of hacktivism, and a raft of other exotic security threats. All of the above are wreaking havoc on the connected world, so when law enforcement wins one for the little guys, we damn well want to give credit where credit is due. We even have to send out kudos for coming up with a sexy name for a two-year long operation that saw six dirtbags paraded away in handcuffs. ‘Operation Ghost Click.’ How cool is that?

Anyone familiar with malware should be all-too-familiar with the DNSChanger scam, a Trojan horse distributed through multiple means, particularly spam e-mails. When activated, DNSChanger modifies DNS settings so that legitimate URLs are redirected to malicious sites bent on stealing information and earning ad revenues for the scam artists. Since 2007, DNSChanger has infected over four million unsuspecting computers, both Mac- and Windows-based. A half million of those are estimated to have been infected in the U.S., and the total haul for DNSChanger is estimated at $14 million over the past four years – reason enough for the joint collaboration of the FBI, NASA, the Estonian Police and Border Patrol, and the National High Tech Crime Unit of the Dutch National Police Agency, to name a few of the involved partners.  The full list of parties responsible for the takedown can be found on the FBI’s official news release here.

DNSChanger and its Mac OSX variants – known as OSX.RSPlug.A, OSX/Puper, and OSX/Jahlav-C – prompted antivirus and antimalware developers to create tools to detect and remove its malevolent ass, but the malware continued to propagate, which is where Operation Ghost Click comes in. On November 8, two data centers – in New York and Chicago – were raided and more than a hundred command and control servers were taken offline. “To reduce the disruption to infected machines,” The Register reports, “the rogue DNS servers have been replaced with modified machines that are being operated for the next four months by the not-for-profit Internet Systems Consortium.”

Infected users should now be experiencing healthy DNS activity, even if the IP addresses of their systems have been compromised by DNSChanger. Users who wish to check if their systems have been compromised can use the FBI’s rogue DNS checker site. CNET also has some helpful information for Mac users who wish to manually check for DNSChanger infection.

Now for the fun part: simultaneous with the server shutdown, Estonian police took six individuals into custody.  According to The Register,

“Federal prosecutors in Manhattan said the scam was controlled by an Estonian company known as Rove Digital. Six Estonian nationals have been arrested by local authorities, and the federal prosecutors plan to seek the defendants’ extradition to the US. The defendants include Vladimir Tsastsin, 31; Timur Gerassimenko, 31; Dmitri Jegorov, 33; Valeri Aleksejev, 31; Konstantin Poltev, 28; and Anton Ivanov, 26. A seventh defendant, 31-year-old Russian national Andrey Taame, remains at large.”

Each defendant is charged with five counts of wire fraud and computer intrusion crimes, and Tsastisin faces an additional twenty-two counts of money laundering. If convicted, six of these geniuses are looking at 85 years. Tsastsin is looking at an additional ten years for each of the money laundering charges, which, if convicted on all counts, would make him 336 years old by the time he gets out – and they say that bad things don’t happen to bad people!

Some are calling it the biggest cyber-bust ever. Whether or not that’s true, it was still a pretty good day for the law enforcement and Internet security communities. Keep up the good work, and thanks for the early Christmas present!

Comments

Andrew Yairley November 18, 2011

Nice to see the continued work of governments and law enforcement officials apprehending cyber-criminals. The increasing frequency of these arrests should hopefully start deterring would-be spammers, phishers, and malware distributors from heading down that dark, annoying road.

Papa Joe Monroe November 20, 2011

It’s not dubbed as the biggest botnet takedown ever for nothing. The FBI and all other involved agencies should be given praises, due credits, and high regards for this cyber buybust.

But I’m not completely satisfied as the DNSChanger scam has been around the World Wide Web since 2007. Why did it took more than four years to completely break down this menacing Trojan horse? Was it hard to track?

Only time will tell when new variants of DNSChanger will terrorize the web once again.

Jamie Campbell November 20, 2011

@Papa Joe,

I think you hit the nail on the head. Why did it take so long to take down such a pervasive threat? I don’t want to take anything away from the fine work of the agencies and agents who took DNSChanger down, but 4 years represents a lot of damage done.

Jamie Campbell November 20, 2011

@Andrew,

I certainly hope so. Oh, for a world with no spammers and scammers!

Eve Leigh November 28, 2011

Shame on me, but I haven’t heard about this scam. What’s more interesting is how they do it. I mean, when the browser requests a URL to be resolved, it contacts a DNS server somewhere out there. Did the scam intercept the reply of the DNS server before it got to the user or did they do anything else? In any case, I am afraid soon there’ll be new scammers to fill the void.

  • (required)
  • (required)