Subscribe to RSS News Feed
About Spamhaus  |  Press Office  |  FAQs   
Targeting Rove Digital: Operation Ghost Click

2011-11-09 20:13:00 UTC   |   by Vincent Hanna   |  
Recent News Articles

Spamhaus Blocklist (SBL) listings are moving

The conundrum that is the modern use of NAT at a carrier grade level

QNAMEĀ MinimizationĀ and Spamhaus DNSBLs

The beta nature of the Threat Intel Community Portal

Want to submit data? Be our guest!

The return of the ASN-DROP

Qakbot - the takedown and the remediation

Poor sending practices trigger a tidal wave of informational listings

Older News Articles:
Spamhaus News INDEX

On November 9, 2011 the FBI announced the successful dismantling of a huge cybercrime network in an operation dubbed 'Ghost Click'. The target of this joint US and Estonian law enforcement operation is the ROKSO listed gang Rove Digital.

Rove Digital ran a sophisticated operation in which malware changed the DNS settings on the victim's computers, resulting in innocent users being directed to different websites than they requested for a number of large web merchants, banks, and other companies with whom those users did business. The malware would also replace advertisements delivered by companies such as Google or Microsoft with ads from the Rove Digital gang promoting suspect products and services. This generated vast amounts of money for Rove Digital and stole from legitimate web advertisers and their clients. This allowed the Rove Digital gang to generate over 10-million US dollars of illicit gains. Moreover, in some cases the malware actually prevented end users from updating their anti-virus definitions, which prevented not only detection and removal of the Rove Digital malware, but also of other malware as well.

Many parts of this criminal operation have been listed on our SBL Advisory list for a long time. Led by Vladimir Tsastsin, Rove Digital operated under many aliases; names such as Cernel, Esthost, Estdomain, and Ukrtelegroup have been well known amongst security researchers for years. The San Francisco-based "ISP" Atrivo/Intercage, operated by Emil Kacperski, provided bulletproof hosting for Rove on hundreds of IP addresses as early as September 2004. As many parts of this operation were hosted on US soil for many years, and as a large fraction of Rove Digital's malware-infected victims were in the US, it is especially gratifying to see US law enforcement now step in to put an end to this cybercrime operation.

Spamhaus is proud to have been among the partners in this combined law enforcement, NGO and industry effort to make the internet a safer place for users world-wide. We congratulate everybody involved with this tremendous result, and particularly want to praise the effort made to minimize the impact of this takedown on the infected end users and the support services of their ISPs. This shows again that optimal results can best be achieved with public, private, and international cooperation. Cooperation of this nature is especially needed in complex cases like this one.

Read more:

Spamhaus Information

Press Office
Spamhaus News Index
Spamhaus in the media
About Spamhaus
Spamhaus Official Statements
Article Information

Permanent link to this news article:
Targeting Rove Digital: Operation Ghost Click

Subscribe to RSS News Feed
Spamhaus News Quotes

Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.
© 1998-2024 The Spamhaus Project SLU. All rights reserved.
Legal  |  Privacy