Charges Filed in Massive Internet Fraud Scheme

   (RPC) - 4/22/2012 - Preet Bharara, the United States Attorney for the Southern District of New York, announced on April 20 the extradition of Anton Ivanov from Estonia to face charges of conspiracy to commit wire fraud and computer intrusion, among other offenses. The charges relate to the alleged operation of a massive and sophisticated Internet fraud scheme that infected with malware more than four million computers located in over 100 countries. The malware secretly altered the settings on infected computers enabling Ivanov and the six other charged defendants – Vladimir Tsastsin, Timur Gerassimenko, Dmitri Jegorov, Valeri Aleksejev, Konstantin Poltev, and Andrey Taame – to digitally hijack Internet searches and re-route computers to certain websites and advertisements.
   The defendants subsequently received millions of dollars in fees as a result of unintended visits to these websites and ads by users of infected computers. The malware also prevented the installation of anti-virus software and operating system updates on infected computers, leaving those computers and their users unable to detect or stop the defendants’ malware, and exposing them to attacks by other viruses.
   Ivanov, an Estonian citizen, was arrested in Estonia on November 8, 2011, when the Indictment against him was unsealed. He arrived in the Southern District of New York on April 20 and was presented and arraigned before U.S. Magistrate Judge Debra Freeman.
   Bharara stated: “ Operating from thousands of miles away, this defendant and his co-conspirators allegedly concocted a diabolical scheme that infected millions of computers and victimized legitimate advertisers and websites alike. Cyber crime is a grave and constant threat that is international in its scope and requires international solutions. The arrests in this case and today’s extradition of this defendant are emblematic of the kind of international cooperation that is required to fight this threat. We are committed to fighting and winning this battle .”
   The following allegations are based on the Indictment and other court documents previously filed in Manhattan federal court:
   From 2007 until October 2011, Ivanov, Tsastsin, Gerassimenko, Jegorov, Aleksejev, Poltev, and Taame controlled and operated various companies that masqueraded as legitimate publisher networks (the “Publisher Networks”) in the Internet advertising industry. The Publisher Networks entered into agreements with ad brokers under which they were paid based on the number of times that Internet users clicked on the links for certain websites or advertisements, or based on the number of times that certain advertisements were displayed on certain websites. Thus, the more traffic that went to the advertisers’ websites and display ads, the more money the defendants earned under their agreements with the ad brokers. The defendants fraudulently increased the traffic to the websites and advertisements that would earn them money and made it appear to advertisers that the Internet traffic came from legitimate clicks and ad displays on the defendants’ Publisher Networks when, in actuality, it had not.
   To carry out the scheme, the defendants and their co-conspirators used what are known as “rogue” Domain Name System (“DNS”) servers, and malware (“the Malware”) that was designed to alter the DNS server settings on infected computers. Victims’ computers became infected with the Malware when they visited certain websites or downloaded certain software to view videos online. The Malware altered the DNS server settings on victims’ computers to route the infected computers to rogue DNS servers controlled and operated by the defendants and their co-conspirators. The re-routing took two forms that are described in detail below: “click hijacking” and “advertising replacement fraud.” The Malware also prevented the infected computers from receiving anti-virus software updates or operating system updates that otherwise might have detected the Malware and stopped it. In addition, the infected computers were also left vulnerable to infections by other viruses.
   When the user of an infected computer clicked on a search result link displayed through a search engine query, the Malware caused the computer to be re-routed to a different website. Instead of being brought to the website to which the user asked to go, the user was brought to a website designated by the defendants. Each “click” triggered payment to the defendants under their advertising agreements. This click hijacking occurred for clicks on unpaid links that appeared in response to a user’s query as well as clicks on “sponsored” links or advertisements that appeared in response to a user’s query – often at the top of, or to the right of, the search results – thus causing the search engines to lose money. For example:
  •  When the user of an infected computer clicked on the domain name link for the official website of Apple-iTunes, the user was instead taken to a website for a business unaffiliated with Apple Inc. that purported to sell Apple software.
  • When the user of an infected computer clicked on the domain name link for the official government website of the Internal Revenue Service, the user was instead taken to the website for H&R Block, a major tax preparation business.
   Using the DNS Changer Malware and rogue DNS servers, the defendants also replaced legitimate advertisements on websites with substituted advertisements that triggered payments to the defendants. For example:
  • When the user of an infected computer visited the home page of the Wall Street Journal, a featured advertisement for the American Express “Plum Card” had been fraudulently replaced with an ad for “Fashion Girl LA.”
  • When the user of an infected computer visited the Amazon.com website, a prominent advertisement for Windows Internet Explorer 8 had been fraudulently replaced with an ad for an email marketing business.
   In conjunction with the arrests in Estonia on November 8, 2011, authorities in the United States obtained a court order to implement a remediation plan to minimize any disruption of Internet service to the users of computers infected with the Malware. This remediation was necessary because the dismantling of the defendants’ rogue DNS servers – to which millions of computers worldwide had been redirected – would potentially have caused all of those computers, for all practical purposes, to lose access to websites. As part of that order, the defendant’s rogue DNS servers have been replaced with legitimate ones administered by the Internet Systems Consortium (“ISC”), a not-for-profit entity, for a limited period of 120 days. A subsequent order extended the period of operation for another 120 days, ending on July 9, 2012.
   Ivanov, 27, of Tartu, Estonia, faces a maximum sentence of 85 years in prison in connection with the charges in the Indictment.
   Estonian nationals Tsastsin, Gerassimenko, Jegorov, Aleksejev, and Poltev were also arrested in November 2011, and are in custody in Estonia. The last defendant, Taame, who is a Russian national, remains at large.
   The case against all seven defendants was scheduled to be heard before U.S. District Judge Lewis A. Kaplan.
   Bharara praised the outstanding investigative work of the Federal Bureau of Investigation, National Aeronautics and Space Administration-Office of the Inspector General, and the Estonian National Police and Border Guard Board. He also thanked the Office of International Affairs in the U.S. Department of Justice’s Criminal Division for its assistance with the extradition.
   This case is being handled by the Office’s Complex Frauds Unit. Assistant U.S. Attorneys Sarah Lai, James Pastore, and Alexander Wilson are in charge of the prosecution.
   The charges and allegations contained in the Indictment are merely accusations, and the defendants are presumed innocent unless and until proven guilty.
   Source: Financial Fraud Enforcement Task Force