The Federal Bureau of Investigation said Nov. 9 it broke up a $14 million criminal ring engaged in clickjacking and advertising fraud using malware that infected more than 4 million computers worldwide--including computers belonging to NASA.

At least 500,000 computers inside the United States were infected with malware, DNSChanger, the FBI said on the day that United States Attorney for the Southern District of New York unsealed a 27-count indictment of the seven alleged perpetrators. Six of them, natives of Estonia, were arrested by Estonian authorities on Nov. 8 while the seventh, a Russian national named Andrey Taame, remains at large, the FBI said.

The scheme, which the indictment says started at least in 2007 and continued until October 2011, infected computers when users visited certain websites or downloaded certain software to play videos online.

Clickjacking victims would then find that attempts to reach certain sites through a search engine query would be foiled, since the malware would transfer the http request to a rogue domain name server, which returned back a website different than the intended one. For example, if a user of an infected machine clicked on a link to IRS.gov, the user was instead taken to the website for H&R Block, the FBI said.

The advertising replacement fraud scheme wasn't as invasive; it merely replaced legitimate ads with ads from other businesses that paid the alleged criminals to publish their ads. The ring controlled various companies that entered into deals with ad brokers under which they were paid based on the number of times that advertisements were displayed, the FBI said.

U.S. authorities seized computers and rogue DNS servers at various locations as part of the operation against the malware network, dubbed Operation Ghost Click, the FBI said. It added that it has replaced the rogue DNS servers it could confiscate with legitimate servers "in the hopes that users who were infected will not have their Internet access disrupted."

For more:
- read a FBI press release on Operation Ghost Click
- download an FBI handout on the DNSChanger malware from FBI.gov (.pdf)
- register with the FBI as a victim of DNSChanger malware

Related Articles:
FBI: No Internet-connected system is impervious to cybercrime 
FBI's Chabinsky: Cybercrime is a profession 
FBI-led national cyber threat information sharing stymied by 'need to know'