The DNSChanger malware, which spread to more than 500,000 devices in the U.S. and 4 million worldwide, redirected the web browsers on infected computers to various websites bringing seven fraudsters over $14 million in affiliate and referral fees.
The DNSChanger clickjacking scam began in 2007. Six men from Estonia and one from Russia used multiple front companies, including an internet advertising agency, to operate the scheme. Under the front of their shell advertising agency the click-fraudsters contracted with online advertisers that would pay commission for every advertising click and visitor brought to advertiser web pages. The DNSChanger malware was able to alter the DNS server settings on machines it had infected and effectively redirect users to the sites earning the fraudsters commission. The malware also prevented infected users from downloading security updates for their operating system or antivirus software.
In late 2011 the FBI charged the seven men with 27 counts of wire fraud and other crimes, but not before they had fraudulently earned $14 million in commission payments for affiliate referral fees. Following their indictment of the seven men the FBI seized over 100 command-and-control servers used for the affiliate fraud operation. But because many machines were still infected with the DNSChanger malware the FBI could not just shut down these servers as many internet users would then be left unable to connect. As an interim solution the FBI ran two servers just to handle web requests coming from infected machines while providing information and solutions for infected web users to correct the issue. On July 9 the FBI closed these replacement servers, meaning the estimated 264,000 machines still infected with DNSChanger would no longer be able to access the worldwide web.
For more information: