news

Targeting Rove Digital: Operation Ghost Click

by The Spamhaus TeamNovember 09, 20113 minutes reading time

On November 9, 2011 the FBI announced the successful dismantling of a huge cybercrime network in an operation dubbed 'Ghost Click'. The target of this joint US and Estonian law enforcement operation is the ROKSO listed gang Rove Digital.

Rove Digital ran a sophisticated operation in which malware changed the DNS settings on the victim's computers, resulting in innocent users being directed to different websites than they requested for a number of large web merchants, banks, and other companies with whom those users did business. The malware would also replace advertisements delivered by companies such as Google or Microsoft with ads from the Rove Digital gang promoting suspect products and services. This generated vast amounts of money for Rove Digital and stole from legitimate web advertisers and their clients. This allowed the Rove Digital gang to generate over 10-million US dollars of illicit gains. Moreover, in some cases the malware actually prevented end users from updating their anti-virus definitions, which prevented not only detection and removal of the Rove Digital malware, but also of other malware as well.

Many parts of this criminal operation have been listed on our SBL Advisory list for a long time. Led by Vladimir Tsastsin, Rove Digital operated under many aliases; names such as Cernel, Esthost, Estdomain, and Ukrtelegroup have been well known amongst security researchers for years. The San Francisco-based "ISP" Atrivo/Intercage, operated by Emil Kacperski, provided bulletproof hosting for Rove on hundreds of IP addresses as early as September 2004. As many parts of this operation were hosted on US soil for many years, and as a large fraction of Rove Digital's malware-infected victims were in the US, it is especially gratifying to see US law enforcement now step in to put an end to this cybercrime operation.

Spamhaus is proud to have been among the partners in this combined law enforcement, NGO and industry effort to make the internet a safer place for users world-wide. We congratulate everybody involved with this tremendous result, and particularly want to praise the effort made to minimize the impact of this takedown on the infected end users and the support services of their ISPs. This shows again that optimal results can best be achieved with public, private, and international cooperation. Cooperation of this nature is especially needed in complex cases like this one.