Anglonautes > Vocapedia > 2000s - 2010s - 2020s > English words - vocabulary - dictionary - encyclopedia > Internet > Security > Cybercrime > Online scamming industry, scammers, scams, phishing

It was a subtle swap: a cheesy advertisement for a vacation timeshare atop the home page of ESPN.com, in a spot that might have been claimed by a well-known brand like Dr Pepper.

Those who saw swapped advertisements, federal prosecutors say, might never have known that their computer had been drawn into a complex Internet advertising scam that they say generated $14 million for its creators.

Over the last four years, a group of men in Eastern Europe quietly hijacked millions of computers worldwide and diverted unsuspecting users to online advertisements from which they could profit, federal law enforcement officials said on Wednesday.

Six men, all in their 20s and early 30s, are under arrest in Estonia for what the United States attorney’s office in New York called “a massive and sophisticated Internet fraud scheme.” A Russian suspect in the case remains at large.

The malicious software infected four million computers, including 500,000 in the United States, the prosecutors said. The software was so subtle that most people using an infected computer were probably unaware of it.

It was a two-pronged scheme, prosecutors said. One component involved redirecting clicks on search results to sites that were controlled by the defendants. A search for “I.R.S.,” for instance, would lead a user to the Web site of the tax preparer H&R Block. The sites to which users were directed would pay the swindlers a referral fee, prosecutors said. The more traffic they could redirect, the more fees they collected.

The other way the group made money, according to the indictment, was to swap legitimate online advertisements on certain Web sites with others that would generate payments for the defendants. Prosecutors said that Web sites for ESPN and The Wall Street Journal were affected — but only when viewed on the infected computers.

“On a mass scale, this gave new meaning to the term false advertising,” Preet Bharara, the United States attorney for the Southern District of New York, said at a press conference in Manhattan.

The security firm Trend Micro, which was among several private companies that helped federal officials with the investigation, called it the “biggest cybercriminal takedown in history.” The group running the scheme had 100 command-and-control servers worldwide, the company said, one of which was in a data center run in New York.

The scheme came to light after 100 computers at the National Aeronautics and Space Administration were found to have been infected. The malicious software spread through infected Web sites.

The most serious aspect of the scheme was that it attacked part of the scaffolding of the Internet: the domain name system, or D.N.S., which links the numerical addresses of Web sites with more user-friendly addresses like irs.gov.

“When people start attacking infrastructure, it creates the potential for a rogue version of the Internet,” said David Dagon, a computer security expert at the Georgia Tech College of Computing who helped federal authorities in the investigation.

Unlike more traditional malware that ferrets out valuable personal information, the group’s program was not designed to steal data, so it was not easily detected, private security consultants said. It manipulated the infrastructure of the Web to do what it does every day in great volumes: display advertising.

All six of the Estonian defendants were in the custody of Estonian police. Four of them also face charges in that country. One of them, Vladimir Tsastsin, 31, has been previously convicted of money laundering in Estonia, according to the Federal Bureau of Investigation. He is identified with a company called Rove Digital, which investigators say ran the operation’s infrastructure.

According to the indictment, the malware also staved off antivirus software updates, which meant that an infected computer could not detect that it was infected. This also made the machine vulnerable to other security bugs.

The malware affected both Windows and Mac operating systems. On its Web site, the F.B.I. outlines how to detect this particular program and how to get rid of it.

Mr. Bharara described the scheme as “cyber infestation of the first order” that reflected the global nature of Internet fraud.

7 Charged In Web Scam Using Ads,
NYT,
9.11.2011,
https://www.nytimes.com/2011/11/10/
technology/us-indicts-7-in-online-ad-fraud-scheme.html

Larger Prey

Are Targets of Phishing

April 16, 2008
The New York Times
By JOHN MARKOFF

SAN FRANCISCO — An e-mail scam aimed squarely at the nation’s top executives is raising new alarms about the ease with which people and companies can be deceived by online criminals.

Thousands of high-ranking executives across the country have been receiving e-mail messages this week that appear to be official subpoenas from the United States District Court in San Diego. Each message includes the executive’s name, company and phone number, and commands the recipient to appear before a grand jury in a civil case.

A link embedded in the message purports to offer a copy of the entire subpoena. But a recipient who tries to view the document unwittingly downloads and installs software that secretly records keystrokes and sends the data to a remote computer over the Internet. This lets the criminals capture passwords and other personal or corporate information.

Another piece of the software allows the computer to be controlled remotely. According to researchers who have analyzed the downloaded file, less than 40 percent of commercial antivirus programs were able to recognize and intercept the attack.

The tactic of aiming at the rich and powerful with an online scam is referred to by computer security experts as whaling. The term is a play on phishing, an approach that usually involves tricking e-mail users — in this case the big fish — into divulging personal information like credit card numbers. Phishing attacks that are directed at a particular person, rather than blasted out to millions, are also known as spear phishing.

The latest campaign has been widespread enough that two California federal courts and the administrative office of the United States Courts posted warnings about the fake messages on their Web sites. Federal officials said they stopped counting after getting hundreds of phone calls from corporations about the messages. At midday on Tuesday, one antispam company, MX Logic, said in a Web posting that its service was still seeing at least 30 of the messages an hour.

Security researchers at several firms indicated they believed there had been at least several thousand victims of the attack whose computers had been compromised.

“We have seen about 2,000 victims, more or less,” said John Bambenek, a security researcher at the University of Illinois at Urbana-Champaign and a volunteer at the Internet Storm Center, a network security organization.

Researchers were studying a list of the Internet addresses of infected computers that iDefense Labs, a research unit of VeriSign, had assembled by monitoring network traffic.

Personalized scam messages have been on the radar of security researchers and law enforcement officials for several years, but the latest variant is a fresh indication of the threat posed by such digital ruses.

“I think that it was well done in terms of something people would feel compelled to respond to,” said Steve Kirsch, the chief executive of Abaca, an antispam company based in San Jose, Calif.

Mr. Kirsch himself received a copy of the message and forwarded it to the company lawyer. “It had my name, phone number, company and correct e-mail address on it and looked pretty legitimate,” Mr. Kirsch said. “Even the U.R.L. to find out more looked legitimate at first glance.”

When the lawyer tried to download a copy of the subpoena and the computer restarted itself, they quickly realized that the file contained malicious software.

Several computer security researchers said that the attack was the work of a group that tried a similar assault in November 2007. In that case, the e-mail message appeared to come from the Justice Department and stated that a complaint had been filed against the recipient’s company.

The software used in the latest attack tries to communicate with a computer in Singapore. That system was still functioning on Tuesday evening, but security researchers said many Internet service providers had blocked access to it.

A number of clues, like misspellings, in the fake subpoena led several researchers to believe that the attackers were not familiar with the United States court system and that the group might be based in a place that used a British variant of English, such as Hong Kong.

“This is probably Chinese-based,” said Mr. Bambenek. “If all the key players are in China there is not much the F.B.I. can do.”

Several security researchers said that the real danger of the attack lay in a second level of deception, after the hidden software provided the attackers with digital credentials like passwords and electronic certificates.

“There are very subtle nuances to their attacks that are well known in the financial industry but are not well publicized,” said Matt Richard, director of the Rapid Response Team at iDefense.

Mr. Richard said the criminals were going after a particular area of the financial industry, but he would not elaborate. He said that law enforcement officials were investigating the fraudulent documents.

Calls to the Federal Bureau of Investigation for comment were not returned.

Although the software package used to deliver the eavesdropping program is well known, it was hidden in such a way that it avoided detection by commercial programs in many cases, researchers said.

“This is pretty well-known code,” said Don Jackson, a researcher at SecureWorks, a computer security firm. “The issue has to do with repacking it.”

Recipients of the e-mail messages are directed to a fraudulent Web site with a copy of the graphics from the real federal court site. They are then asked to download and install what is said to be a piece of software from Adobe that is used to view electronic documents.

“There are several layers of social engineering involved here,” said Mike Haro, a spokesman for Sophos, a company that sells software to protect against malicious software and spam.