SitNews - Stories in the News - Ketchikan, Alaska

'Ghost Click' malware may knock thousands off internet Monday
Edited by Mary Kauffman, SitNews


July 06, 2012

(SitNews) Ketchikan, Alaska - Warnings about the "Ghost Click" Internet problem have been around for months, but thousands of Americans may still lose their Internet service on Monday, July 9th, unless they do a quick check of their computers for malware that may have taken over their computers more than a year ago.

The problem began when international hackers engaged in a massive and sophisticated Internet fraud scheme that infected with malware more than four million computers located in over 100 countries. Of the computers infected with malware, at least 500,000 were in the United States, including computers belonging to U.S. government agencies, such as NASA; educational institutions; non-profit organizations; commercial businesses; and individuals. Today, according to the FBI over 60,000 computers in the U.S. are believed to still be infected.

This DNS-Changer malware, around for over a year, secretly altered the settings on infected computers enabling the hackers to digitally hijack Internet searches and re-route computers to certain websites and advertisements, which resulted in the defendants to be paid. The hackers subsequently received fees each time these websites or ads were clicked on or viewed by users. The malware also prevented the installation of anti-virus software and operating system updates on infected computers, leaving those computers and their users unable to detect or stop the hackers’ malware, and exposing these computers to attacks by other viruses.

DNS (Domain Name System) is a critical Internet service that converts user-friendly domain names, such as, into numerical addresses that allow computers to talk to each other. Without DNS and the DNS servers operated by Internet service providers, computer users would not be able to browse websites or send e-mail.

On March 12, 2012, to assist the victims affected by the DNSChanger malicious software, the FBI obtained a court order authorizing the Internet Systems Consortium (ISC) to deploy and maintain temporary clean DNS servers. This solution is temporary, for the purpose of providing additional time for victims to clean affected computers and restore their normal DNS settings.

Most victims don't even know their computers have been infected, although the malicious software probably has slowed their Web surfing and disabled their antivirus software, making their computers more vulnerable to other problems. It is important to note that the clean DNS servers that have been in operation since March will not remove the DNSChanger malware - or other viruses it may have facilitated—from an infected computer.

The clean DNS servers will be turned off on Monday, July 9, 2012, and computers still impacted by DNSChanger may lose Internet connectivity at that time.

The FBI said internet providers may come up with technical solutions that they will put in place Monday that will either correct any problem on the providers' end or provide information to their customers when they call to say their Internet isn't working. If the Internet providers correct any server problem they have, the Internet will work; however, the malware will remain on victims' computers and could pose future problems.

DNS Malware: Is Your Computer Infected? Check your System

To check whether a computer is infected, users can visit a website run by the group brought in by the FBI:

Check your computer's DNS Settings


If you think you are infected, take action to fix your computer now.

Protect your computer from DNS Changer.

The FBI is seeking information from individuals, corporate entities, and Internet Services Providers who believe that they have been victimized by malicious software (“malware”) related to the defendants. This malware modifies a computer’s Domain Name Service (DNS) settings and thereby directs the computers to receive potentially improper results from rogue DNS servers hosted by the defendants.

Register as a Victim of the CNS Changer malware


In November of 2011 six Estonian nationals were arrested and charged with running a sophisticated Internet fraud ring that infected millions of computers worldwide with a virus and enabled the thieves to manipulate the multi-billion-dollar Internet advertising industry. Users of infected machines were unaware that their computers had been compromised—or that the malicious software rendered their machines vulnerable to a host of other viruses.

The indictment, said Janice Fedarcyk, assistant director in charge of our New York office, “describes an intricate international conspiracy conceived and carried out by sophisticated criminals.” She added, “The harm inflicted by the defendants was not merely a matter of reaping illegitimate income.”

Beginning in 2007, the cyber ring used a class of malware called DNSChanger to infect approximately 4 million computers in more than 100 countries. There were about 500,000 infections in the U.S., including computers belonging to individuals, businesses, and government agencies such as NASA. The thieves were able to manipulate Internet advertising to generate at least $14 million in illicit fees. In some cases, the malware had the additional effect of preventing users’ anti-virus software and operating systems from updating, thereby exposing infected machines to even more malicious software.

“They were organized and operating as a traditional business but profiting illegally as the result of the malware,” said one of the FBI's cyber agents who worked the case. “There was a level of complexity here that we haven’t seen before.”

DNSChanger was used to redirect unsuspecting users to rogue servers controlled by the cyber thieves, allowing them to manipulate users’ web activity. When users of infected computers clicked on the link for the official website of iTunes, for example, they were instead taken to a website for a business unaffiliated with Apple Inc. that purported to sell Apple software. Not only did the cyber thieves make money from these schemes, they deprived legitimate website operators and advertisers of substantial revenue.

The six cyber criminals were taken into custody in November in Estonia by local authorities, and the U.S. planned to extradite them. In conjunction with the arrests, U.S. authorities seized computers and rogue DNS servers at various locations. As part of a federal court order, the rogue DNS servers have been replaced with legitimate servers in the hopes that users who were infected will not have their Internet access disrupted.

The Cyber-Fraud Scheme

Internet advertising is a multi-billion-dollar industry in which website owners sell advertising space on their sites. Because of the vast number of website operators—also referred to as publishers—and advertisers on the Internet, advertisers often rely on third party “ad brokers” to contract with and deliver their advertisements to publishers. Similarly, rather than contract with ad brokers individually, website publishers often join together and form “publisher networks” to contract with ad brokers collectively.

As alleged in the Indictment, from 2007 until October 2011, the defendants controlled and operated various companies that masqueraded as legitimate publisher networks (the “Publisher Networks”) in the Internet advertising industry. The Publisher Networks entered into agreements with ad brokers under which they were paid based on the number of times that Internet users clicked on the links for certain websites or advertisements, or based on the number of times that certain advertisements were displayed on certain websites. Thus, the more traffic to the advertisers’ websites and display ads, the more money the defendants earned under their agreements with the ad brokers. As alleged in the Indictment, the defendants fraudulently increased the traffic to the websites and advertisements that would earn them money. They accomplished this by making it appear to advertisers that the Internet traffic came from legitimate clicks and ad displays on the defendants’ Publisher Networks when, in actuality, it had not.

To carry out the scheme, the defendants and their co-conspirators used what are known as “rogue” Domain Name System (“DNS”) servers, and malware (“the Malware”) that was designed to alter the DNS server settings on infected computers. Victims’ computers became infected with the Malware when they visited certain websites or downloaded certain software to view videos online. The Malware altered the DNS server settings on victims’ computers to route the infected computers to rogue DNS servers controlled and operated by the defendants and their co-conspirators. The re-routing took two forms that are described in detail below: “click hijacking” and “advertising replacement fraud.” The Malware also prevented the infected computers from receiving anti-virus software updates or operating system updates that otherwise might have detected the Malware and stopped it. In addition, the infected computers were also left vulnerable to infections by other viruses.

Click Hijacking

When the user of an infected computer clicked on a search result link displayed through a search engine query, the Malware caused the computer to be re-routed to a different website. Instead of being brought to the website to which the user asked to go, the user was brought to a website designated by the defendants. Each “click” triggered payment to the defendants under their advertising agreements. This click hijacking occurred for clicks on unpaid links that appear in response to a user’s query as well as clicks on “sponsored” links or advertisements that appear in response to a user’s query—often at the top of, or to the right of, the search results—thus causing the search engines to lose money. Several examples of click hijacking illustrated in the Indictment include:

When the user of an infected computer clicked on the domain name link for the official website of Apple-iTunes, the user was instead taken to a website for a business unaffiliated with Apple Inc. that purported to sell Apple software.

When the user of an infected computer clicked on a domain name link for Netflix, the user was instead taken to a website for an unrelated business called “BudgetMatch.”

When the user of an infected computer clicked on the domain name link for the official government website of the Internal Revenue Service, the user was instead taken to the website for H&R Block, a major tax preparation business.

Advertising Replacement Fraud

Using the DNS Changer Malware and rogue DNS servers, the defendants also replaced legitimate advertisements on websites with substituted advertisements that triggered payments to the defendants. Several examples of the advertising replacement fraud illustrated in the Indictment include:

When the user of an infected computer visited the home page of the Wall Street Journal, a featured advertisement for the American Express “Plum Card” had been fraudulently replaced with an ad for “Fashion Girl LA.”

When the user of an infected computer visited the website, a prominent advertisement for Windows Internet Explorer 8 had been fraudulently replaced with an ad for an email marketing business.

When the user of an infected computer visited the ESPN website, a prominent advertisement for “Dr. Pepper Ten” had been fraudulently replaced with an ad for a timeshare business.

The defendants earned millions of dollars under their advertising agreements, not by legitimately displaying advertisements through their Publisher Networks, but rather by using the Malware to fraudulently drive Internet traffic to the websites and ads that would earn them more money. As a result, the defendants and their co-conspirators earned at least $14 million in ill-gotten gains through click hijacking and advertisement replacement fraud. The Indictment further alleges that the defendants laundered the proceeds of the scheme through numerous companies including, among others, Rove Digital, an Estonian corporation, and others listed in the Indictment.

The defendants’ scheme also deprived legitimate website operators and advertisers of substantial monies and advertising revenue. In addition to search engines losing revenue as a result of click hijacking on their sponsored search result listings, advertisers lost money by paying for clicks that they believed came from interested computer users, but which were in fact fraudulently engineered by the defendants. Furthermore, the defendants’ conduct risked reputational harm to businesses that paid to advertise on the Internet—but that had no knowledge or desire for computer users to be directed to their websites or advertisements through the fraudulent means used by the defendants.

Each defendant is charged with five counts of wire and computer intrusion crimes. In addition, on defendant is charged with 22 counts of money laundering.

Remediation Efforts

In conjunction with the arrests in November, authorities in the United States seized computers at various locations, froze the defendants’ financial accounts, and disabled their network of U.S.-based computers—including dozens of rogue DNS servers located in New York and Chicago. Additionally, authorities in the United States took steps with their foreign counterparts to freeze the defendants’ assets located in other countries. Remediation efforts were immediately undertaken to minimize any disruption of Internet service to the users of computers infected with the Malware. This remediation was necessary because the dismantling of the defendants’ rogue DNS servers—to which millions of computers worldwide had been redirected—would potentially have caused all of those computers, for all practical purposes, to lose access to websites.

The remediation effort was being carried out pursuant to the order of a Manhattan federal court judge. As part of that order, the defendant’s rogue DNS servers were replaced with legitimate ones. Internet Systems Consortium (“ISC”), a not-for-profit entity, was appointed by the court to act as a third-party receiver for a limited period of 120 days during which time it will administer the replacement DNS servers. Although the replacement DNS servers will provide continuity of Internet service to victims, those replacement servers will not remove the Malware from the infected computers. Users who believe their computers may be infected can find additional information at


Edited by Mary Kauffman, SitNews

Source of News: 



E-mail your news & photos to

Publish A Letter in SitNews

Contact the Editor

SitNews ©2012
Stories In The News
Ketchikan, Alaska

 Articles & photographs that appear in SitNews may be protected by copyright and may not be reprinted without written permission from and payment of any required fees to the proper sources.