When law enforcement authorities took down this week an international ring of Internet grifters who allegedly scammed more than $14 million from their victims, a key element of their crackdown was a spam database maintained by the University of Alabama-Birmingham.
Created in 2006, the UAB Spam Data Mine churns through a million spam messages every day and now contains some 550 million junk e-mail messages in its database that can be used by law enforcement agencies to analyze activities such as spear phishing, advertising fraud, and identity spoofing.
In this week’s bust, called Operation Ghost Click, U.S. law enforcement authorities used the Data Mine to gather information about the e-mails containing the malware used by the online con artists to perpetuate their scam. “The information we received from UAB’s software was invaluable to our efforts in the apprehension of these international suspects,” FBI Supervisory Special Agent Thomas Grasso Jr. said at a UAB news site.
What makes the Data Mine so valuable to law enforcement agencies is the speed at which they can get answers to pressing questions about their investigations. “Our team can help law enforcement quickly track down and successfully prosecute cybercriminals anywhere in the world because we can identify related spam almost instantaneously,” says Gary Warner, UAB’s director of Research in Computer Forensics.
Since its inception, the Data Mine’s designers have continually worked on improving the software’s performance so it’s able to rapidly respond to emerging, as well as enduring, threats to commerce and safety regardless of their geographic location. “Our team has taken the lead in helping law enforcement eradicate cybercrime by making it near impossible for online criminals to hide,” according to Anthony Skjellum, UAB Computer and Information Sciences chair and founding director of the Data Mine.
Malware Spread the Scam
Operation Ghost Click resulted in the indictment of seven men — six Estonians and a Russian — charged with creating a click fraud and phony advertising scam that netted them $14 million from 2007 to 2011. The Estonians have been apprehended in that nation, which will be asked to extradite the sextet to the United States. The Russian suspect is still at large.
The scheme perpetrated by the scammers was fueled by infecting four million computers in more than 100 countries. Half a million of the infections were in the United States, many of them in government agencies, including NASA.
Through malware planted on computers in a number of ways, the robber ring was able to redirect Internet traffic to websites and infect search engine results which allowed them to collect commissions from click fraud and serving up bogus ads on legitimate websites.
For example, if your computer was infected, when you clicked on a link for Apple’s iTunes store, you’d be taken to a website unaffiliated with Apple that purported to sell Apple software, or if you clicked on a link to Netflix, you’d be taken to a website for an unrelated business called “BudgetMatch.”
Less obtrusive to you but equally lucrative to the scammers, was their ad substituting grift. So, if your computer was infected, when you visited the home page of the Wall Street Journal, a featured advertisement for the American Express “Plum Card” might be replaced with an ad for “Fashion Girl LA,” or at Amazon.com an ad for Windows Internet Explorer 8 might be replaced with an ad for an email marketing business.
“These defendants gave new meaning to the term, ‘false advertising,'” Manhattan U.S. Attorney Preet Bharara said in a statement.
“The international cyber threat is perhaps the most significant challenge faced by law enforcement and national security agencies today, and this case is just perhaps the tip of the Internet iceberg,” he added.
In conjunction with the arrests on Operation Ghost Clicks, all the assets of the alleged scammers have been frozen and their network’s DNS servers disconnected. Because taking down those servers could disrupt the Internet access of the infected machines in the network, a legitimate DNS server provider will be filling in for 120 days. The FBI advises anyone who believes their computer is infected to check out its website for information on dealing with the infection.