On November 9, 2011 the United States Attorney for the Southern District of New York announced charges against against six Estonian nationals and one Russian national for engaging in a massive and sophisticated Internet fraud scheme that infected with malware more than four million computers located in over 100 countries. Of the computers infected with malware, at least 500,000 were in the United States, including computers belonging to U.S. government agencies, such as NASA; educational institutions; non-profit organizations; commercial businesses; and individuals. The malware secretly altered the settings on infected computers enabling the defendants to digitally hijack Internet searches and re-route computers to certain websites and advertisements, which entitled the defendants to be paid. The defendants subsequently received fees each time these websites or ads were clicked on or viewed by users. The malware also prevented the installation of anti-virus software and operating system updates on infected computers, leaving those computers and their users unable to detect or stop the defendants’ malware, and exposing them to attacks by other viruses.

Six of the defendants, Vladimir Tsastin, Timur Gerassimenko, Dmitri Jegorov, Valeri Aleksejev, Konstantin Poltev and Anton Ivanov, all Estonian nationals, were arrested and taken into custody November 8, 2011 in Estonia by the Estonian Police and Border Guard Board. The U.S. Attorney’s Office will seek their extradition to the United States. The seventh defendant, Andrey Taame, a Russian national, remains at large.

As alleged in the indictment, from 2007 until October 2011, the defendants controlled and operated various companies that masqueraded as legitimate publisher networks (the “Publisher Networks”) in the Internet advertising industry. The Publisher Networks entered into agreements with ad brokers under which they were paid based on the number of times that Internet users clicked on the links for certain websites or advertisements, or based on the number of times that certain advertisements were displayed on certain websites. Thus, the more traffic to the advertisers’ websites and display ads, the more money the defendants earned under their agreements with the ad brokers. As alleged in the indictment, the defendants fraudulently increased the traffic to the websites and advertisements that would earn them money. The defendants accomplished this by making it appear to advertisers that the Internet traffic came from legitimate clicks and ad displays on the defendants’ Publisher Networks when, in actuality, it had not.

The defendants accomplished their scheme by employing both “click hijacking” and “advertising replacement fraud.” In “click hijacking” schemes the user of an infected computer clicks on a search result link displayed through a search engine query, the Malware causes the computer to be re-routed to a different website. Instead of being brought to the website to which the user asked to go, the user is brought to a website designated by the defendants. In “advertising replacement fraud” schemes the defendants used malware and rogue DNS servers which replaced legitimate advertisements on websites with substituted advertisements that triggered payments to the defendants. It is alleged in the indictment that both schemes earned the defendants at least $14 million in ill-gotten gains.

The defendants are being charged with wire fraud conspiracy, wire fraud, computer intrusion, computer intrusion conspiracy, and computer intrusion by transmitting information. The indictment also alleges that the defendants laundered the proceeds of the scheme through numerous companies.

The author of this blog is Erich Ferrari, an attorney specializing in Federal Criminal Defense matters. If you have any questions please contact him at 202-280-6370 or ferrari@ferrari-legal.com.

Bookmark and Share