Malware Kingpin Pleads GuiltyGang Racked Up $14 Million from Click Fraud Scheme
Accused malware kingpin Vladimir Tsastsin, 35, has pleaded guilty to charges relating to a massive click fraud scheme that the FBI dubbed Operation Ghost Click. The scheme, which also involved money laundering, affected more than 4 million victims in 100 countries.
See Also: How to Defend Your Attack Surface
Tsastsin, an Estonian national, was extradited to the United States from Estonia in October 2014, three years after he was charged in a U.S. indictment and arrested by local authorities. Upon his first appearance in U.S. federal court on Oct. 31, 2014, however, Tsastsin entered a not-guilty plea to the charges filed against him (see Accused Malware Kingpin Extradited).
But on July 8, Tsastsin pleaded guilty to wire fraud conspiracy and computer-intrusion conspiracy. "I knew what I was doing was wrong," Tsastsin told U.S. Magistrate Judge Michael H. Dolinger, ABC News reports.
"Vladimir Tsastsin has admitted to his role in a massive cyber hack and fraud scheme that infected millions of computers in over 100 countries and netted Tsastsin and his co-conspirators over $14 million," says Manhattan U.S. Attorney Preet Bharara.
A long-running investigation into the gang's activities - Operation Ghost Click - was launched in 2009. It led to U.S. and Estonian authorities disrupting the criminal operation in late 2011 (see 6 Nabbed in Global Internet Scam).
"The group's data centers in New York and Chicago were raided, and more than 4 million victims were given over half a year to change over to non-malicious DNS servers," says security firm Trend Micro - which assisted with the investigation - in a blog post.
How Scheme Worked
The gang used DNS changer malware to block anti-virus updates and alter an infected PC's DNS settings, which allowed the attackers to perpetrate click fraud - which refers to any clicks that are generated with malicious or fraudulent intent - as well as advertising replacement fraud, the Justice Department says.
"[This] scheme was a relatively simple one: plant DNSchanger malware onto user systems and redirect queries for popular domains to malicious servers," Trend Micro says. "This allowed the attackers to redirect the traffic aimed at these domains and carry out hard-to-detect but profitable attacks like hijacking search results and replacing website advertising. In addition to this, fake anti-virus malware was also an important source of revenue for this organization."
Click hijacking involves directing users not to a site for the link they click on, but rather to a different site. "For example, when the user of an infected computer clicked on the domain name link for the official website of Apple iTunes, the user was instead taken to a website for a business unaffiliated with Apple Inc. that purported to sell Apple software," the Department of Justice says. "Each 'click' triggered payment to the defendants under their advertising agreements."
Advertising replacement fraud, meanwhile, refers to replacing the advertisements that a site has served with attacker-promulgated advertisements, which attackers can again use to redirect infected PCs to advertising networks that they control, and which pay them a commission for each advertisement they can serve.
Seven Charged So Far
To date, U.S. authorities have charged seven men in connection with Operation Ghost Click: Timur Gerassimenko, Dmitri Jegorov, Valeri Aleksejev, Konstantin Poltev, Andrey Taame and Anton Ivanov.
Aleksejev has been was sentenced to 48 months in U.S. prison, while Ivanov pled guilty to all charges, and was sentenced to time served. Gerassimenko, Jegorov and Poltev, meanwhile, are due to be sentenced July 23.
Tsastsin is due to be sentenced on Oct. 14, and faces a maximum sentence of 20 years in prison on the wire fraud charge, and five years for the computer intrusion conspiracy charge.
One alleged member of the gang, Russian national Andrey Nabilevich Taame, remains at large. The FBI added Taame to its Cyber Most Wanted list in 2013. It says he has been indicted on multiple charges, including wire fraud and unauthorized access to a computer.
The gang laundered its profits through a number of other companies, including Estonia-based Rove Digital, which was created by Tsastsin, according to the U.S. indictment. Estonian media outlets report that three companies allegedly used to launder the fake advertising were collectively hit by fines of up to $126,000 each by local authorities.
Tsastsin's extradition was delayed in part because he faced money-laundering charges in Estonia, and had argued that he couldn't be punished twice - by both Estonian and U.S. authorities - for the same crimes. But Estonia's Court of Appeals in 2014 sentenced him to serve six years and four months in jail for money laundering, and also ruled that the U.S. indictment had charged him with separate computer crimes, thus paving the way for his extradition. The Estonian Court of Appeals also sentenced his accomplices to serve jail terms ranging from 22 months to 34 months, and ordered them to pay fines of up to €100,000 ($111,000).