NEW YORK (The Blaze/AP) — Internet bandits devised an international scheme to hijack more than 4 million computers in more than 100 countries, manipulating traffic on Netflix, the U.S. Internal Revenue Service and other popular websites to generate at least $14 million in fraudulent advertising revenue, federal prosecutors said Wednesday.
Six of the seven people named in the indictment unsealed Wednesday are Estonians who are in custody in that country, and prosecutors said extradition was being sought. One Russian remains at large.
About 500,000 computers in the United States were infected with malware, including those used by individuals, educational institutions, nonprofits and government agencies like NASA, U.S. Attorney Preet Bharara told a news conference.
Bharara called the case the first of its kind because the suspects set up their own "rogue" servers to secretly reroute Internet traffic to sites where they had a cut of the advertising revenue.
"On a massive scale, the defendants gave new meaning to the term 'false advertising,'" Bharara said.
The problem was first discovered at NASA, where 130 computers were infected. Investigators followed a digital trail to Eastern Europe, where the defendants operated "companies that masqueraded as legitimate participants in the Internet advertising industry," according to the indictment.
"Without the computer users' knowledge or permission, the malware digitally hijacked the infected computers to facilitate the fraud," the indictment says.
Once their computers were infected, people seeking to visit Netflix, the IRS, ESPN, Amazon and other legitimate sites were redirected to sites where the defendants collected income for each click on an ad, authorities said. The malware and corrupted servers also allowed the defendants to substitute legitimate ads on other websites with replacement ads that earned them more illicit income, they added.
The indictment estimated the defendants "reaped least $14 million in ill-gotten gains" over a five-year period starting in 2007.
The L.A. Times reported that this technique is known as "click-jacking" because it waits for the user to click and then redirects them to a similar looking site. The click-jackign software, the Times reports allegedly changed the way infected computers accessed the web.
Think you may have been infected? The Federal Bureau of Investigation has this handout to help you figure it out (see below).
According to Wired, the Internet Systems Consortium will be helping reverse the rouge software. ISC is collecting IP address of infected computers, but it will not be collecting the search terms that lead infected computers to these sites.