Tip:
Highlight text to annotate it
X
Good afternoon. My name is Preet Bharara, and I am the United States Attorney for the
Southern District of New York. Today, we announce the unsealing of an Indictment
charging seven individuals – six Estonian nationals and one Russian national – with
perpetrating a massive and sophisticated Internet fraud. Six of those seven defendants were
arrested at our request yesterday by Estonian law enforcement, in Estonia, and the seventh
is at large. We believe this criminal case is the first
of its kind, and it arises from a cyber infestation of the first order. As described in the Indictment,
the defendants are charged with engineering a massive cyber scheme that infected more
than four million computers in 100 countries with malicious software (or malware), allowing
them to profit illegally to the tune of at least $14 million. At least a half million
of those computers were located in the U.S. As alleged, the defendants were cyber bandits
who hijacked millions of computers at will and rerouted them to Internet websites and
advertisements of their own choosing – collecting millions in undeserved commissions for all
the hijacked computer clicks and Internet ads they fraudulently engineered.
As alleged in the Indictment, the defendants controlled companies that masqueraded as legitimate
Internet advertising companies. The more Internet traffic the defendants drove to certain websites
and Internet ads, the more money the defendants collected under their advertising contracts.
On a massive scale, then, the defendants gave new meaning to the term “false advertising.”
What’s more, because of the nature of the malware used to carry out the scheme, the
infected computers were left more vulnerable to other viruses as well, because in most
cases they were unable to download basic anti-virus updates.
In just a moment, I’ll illustrate to you how the cyber-scheme worked. Before I do that,
let me introduce our law enforcement team. First, I want to acknowledge the extraordinary
cooperation we received internationally, particularly from the Estonian Police and Border Guard
Board. Without their assistance, the investigation and the arrests we are announcing today would
not have been possible. I am joined at the podium by Janice Fedarcyk,
the Assistant Director-in-Charge of the New York Office of the FBI, who has made cyber
security an absolute top priority of the New York Field office, and for good reason.
Also here is Mary Galligan, the Special Agent- in- Charge of the Special Operations and Cyber
Branches of the FBI, and Daniel O’Brien, the Assistant Special Agent-in-Charge of the
Cyber Branch. I am also joined by Paul Martin, Inspector
General of NASA OIG – the National Aeronautics and Space Administration, Office of the Inspector
General. Why NASA, you may be asking yourself? Because NASA’s computers were among the
millions infected with the malware. In fact, after NASA discovered that over 100 of its
computers were infected, NASA’s agents teamed up with the FBI to unravel the scheme and
root out who was behind it. I also want to express my appreciation to
the career prosecutors who have conducted this meticulous investigation: Assistant United
States Attorneys Sarah Lai, James Pastore, and Alex Wilson, as well as Lisa Zornberg
and Michael Bosworth, the Chiefs of our Complex Frauds Unit, Thomas Brown, the Deputy Chief
for Cyber, and Sharon Cohen Levin, the Chief for forfeiture.
Now let’s look at how the alleged cyber scheme in this case actually worked. As I
mentioned, this cyber plot came to light after certain computers at NASA became infected
with malware. Notwithstanding NASA’s involvement, however, this was not rocket science.
But, in order to understand the scheme, you need to understand a couple of fairly basic
things about how computers connected to the Internet are actually steered to particular
web pages.
In order to go to a particular web page, there are actually two ways to do it.
If you know the IP address, which is typically a long series of numbers, you can type that
into your browser, and your computer will take you there. No one really uses that method.
Instead, we all use the second method – which is typing in the plain English website domain
name; for example, www.irs.gov or www.netflix.com, etc.
But that requires some translation – so your computer knows what IP address is
associated with that domain name. So, when you type in a domain name, for example
www.irs.gov, this is what happens: Your browser is directed by the computer’s
operating system to a server somewhere, called a DNS Server (“Domain Name System” Server);
it is that DNS Server that provides the actual IP address for the website and directs you
to the computer hosting that website.
DNS Servers are sort of like an Internet white pages phone book; but instead of providing
phone numbers for businesses, they provide IP addresses for websites.
So, to be directed to where you want to go, you need to be connected to a legitimate DNS
Server.
And it is this simple Internet fact of life that we allege the defendants relied on to
pull off their multi-million dollar scam. As explained in the Indictment, what they
did was infect millions of computers around the world with malware – malicious software.
That happened typically when computer users visited certain sites or downloaded software
from the Internet and unwittingly infected their own computers.
And what the malware did was change the DNS server settings so that infected computers
were routed not to legitimate DNS Servers, but to rogue servers controlled and operated
by the defendants in New York, Chicago, and elsewhere.
And so, as the Indictment explains, if you were infected by the defendants’ malware,
your computer could be hijacked to whatever website the defendants wished.
So the defendants’ plan was to infect computers; direct them to servers they controlled; then
redirect traffic to unintended websites; and reap an illegal financial windfall from that
web traffic. In one variation of the fraud, when the user
of an infected computer clicked on a search result link displayed through a search engine
query, they were falsely directed to a different website than the one they intended to visit.
This type of fraud is described in the Indictment as “click hijacking.”
The defendants then allegedly received money for each of these fraudulently engineered
“clicks.” As alleged, they executed this click-fraud
on a massive scale, earning millions in illegal profits, by bringing unsuspecting computer
users around the world to websites they never intended to visit.
They allegedly engaged in a related type of fraud as well, as described in the Indictment
– “advertising replacement fraud.” As you know, websites make money by selling advertising.
And that’s a lucrative business. But, as the Indictment alleges, the defendants corrupted
that business model too. We allege that they replaced legitimate Internet
advertisements on websites with substituted ads that triggered payments to them.
Finally, as I mentioned, there was an insidious side effect to this alleged cyber infection
– computer users were typically unable to update their anti-virus and operating system
software. That left them more vulnerable. As alleged in the Indictment, the defendants
carried out this click-fraud over five years, generating at least 14 million dollars in
illicit revenue. With today’s charges, we have unmasked who they are, unmasked their
alleged crimes, and we will seek their extradition to the United States so they can be brought
to justice. Now, I want to mention some information about
how this takedown took great care to avoid Internet disruptions for those with infected
computers. Yesterday morning at approximately 3:00 a.m.,
the Government literally pulled the plug on the defendants’ rogue computer servers,
which had been operating out of data centers in New York, Chicago, and other locations.
The FBI dismantled the computer infrastructure that the defendants used to execute their
alleged crimes. Since then, the FBI has been promptly advising Internet Service Providers
around the world of their customers whose computers may be infected, and those notification
efforts are ongoing. At the Government’s request, a federal judge
in Manhattan has also appointed an independent receiver to replace the defendants’ unplugged
“bad” servers with clean, good servers so that Internet life can go back to normal
for the affected users. And because of this careful planning, infected
computer users’ Internet service has been routed through clean servers without being
interrupted. Let me conclude by emphasizing that the cyber
threat is perhaps the most significant challenge faced by law enforcement and national security
agencies today. It has truly become the new frontier for law enforcement. And what we
see in cases like today’s is likely just the tip of the Internet iceberg.
About a year ago, we announced a massive cyber fraud that involved the Zeus Trojan, allowing
Eastern European hackers to steal millions from U.S. bank accounts.
As I said then, the modern, high-tech heist does not require a gun, a mask, a note, or
a getaway car. It requires only the Internet and ingenuity. And it can be accomplished
in the blink of an eye, with just a click of the mouse – at a distance of thousands
of miles. Today’s case is just the latest manifestation
of that gathering threat, and it highlights yet another way in which the cyber threat
has evolved and grown. That is why the FBI – under the leadership
of Director Mueller and Jan Fedarcyk in New York – has so ramped up its cyber efforts
in terms of resources and focus. And we have done the same in this Office.
We will be doing more and more in this area – as it is absolutely essential to our national
security, our economic security, and our citizens’ personal security.
And it is equally imperative that there be increased international collaboration among
law enforcement to bring cyber criminals to justice. Too much of this conduct occurs abroad,
and if we are to make a dent in the problem, we will all have to work as well together
as we and the Estonians have done so this week.
It is my pleasure to call to the podium:
Janice Fedarcyk, the Assistant Director-in-Charge of the New York Office of the FBI
Paul Martin, Inspector General of NASA OIG – the National Aeronautics and Space Administration,
Office of the Inspector General