Trend Cloud Security Blog – Cloud Computing Experts

Operation Ghostclick: Cracking down on Cyber Criminals

Rove Digital was a company formed by a criminal organization in Estonia with two business models: one to portray itself as a legitimate business on the surface, but the second and main purpose was to profit from cyber-criminal activities, which they were extremely successful at and did for many years. At GovSec West this week, I will be presenting a detailed view into the timeline and activities which Rove Digital used over a period of 8 years before law enforcement was able to shut them down.

Operation Ghostclick was formed by the FBI, Estonia Police, the Office of Inspector General and a number of key private security firms, including Trend Micro, to investigate and arrest the individuals who formed Rove Digital. The presentation will also take a look at how a successful partnership between law enforcement and private security firms can help bring cybercriminals to justice. Too often, we hear that it just isn’t possible to capture cybercriminals due to restrictions on where they live or that law enforcement doesn’t have enough resources to effectively take on the multitude of cases. By partnering with private security vendors, this constraint can be overcome and more cybercriminals could be apprehended.

The whole story of Rove Digital has been well documented by Trend Micro, whose researcher started investigating them back in 2002. The researcher was able to bring enough data to law enforcement by 2008 that the FBI and local authorities started their own investigation into this criminal organization.

On the surface, Rove looked good and in fact was ranked the #3 top IT firm in Estonia in 2008 due to their clever way of disguising where their income came from. They developed one of the largest botnets in history and were able to utilize these infected clients into generating tens of millions of dollars over the years using many different techniques, such as ad replacements, FakeAV, and renting out their bot to other cybercriminals. With this very large botnet, they sold ad spaces to organizations who thought they were selling legitimate ad placements, but in reality they were re-directing their bots using DNS Changers to drive users to their ad placements which were replacing legitimate ads by other companies. This cyber ad fraud allowed Rove to achieve extremely high click through rates and bilk millions out of organizations who purchased ads from them, and also from the organizations who paid for ad clicks. This practice alone allowed them to profit by millions of dollars every year but also allowed them to appear to be a legitimate business to others.

My talk at GovSec West will also focus on the infrastructure of their criminal network, in which they used three separate hosting companies in the US and Estonia to ensure their botnet was able to stay alive and thrive. This was seen in 2007, when one of these hosting companies was shut down by law enforcement, but because Rove had others available their network only had a minor slowdown until servers in the other hosting companies were brought online. Another characteristic that allowed Rove Digital to stay in business for so long was the fact that they were not out for the quick buck, but would wait several months if one aspect of their operation was brought down – as was the case when their Google ads were taken offline. By being patient and waiting a long enough period before resuming they were able to stay under the radar for longer periods of time.  This patience is not typical of most criminals who want to profit immediately and, as such, Rove Digital was able to successfully stay in business for many years.

But, all things must come to an end.  In this case, with enough data and persistence, our threat researchers requested meetings with law enforcement at the 2009 Digital Crimes Consortium meeting in Redmond, WA, and formal law enforcement investigation was launched in October 2009. Over the next two years the FBI, Office of Inspector General, and the Estonia Police were able to build enough evidence to arrest 6 of 7 members of Rove Digital in November of 2011. During these 2 years of investigation a number of private organizations were brought in to help out and this collaboration definitely helped law enforcement in building their case against Rove Digital.

This was truly a great effort by both law enforcement and private security vendors since Rove Digital was able to mask their true illegal activities over the years, but with hard work and due diligence the private/public collaboration was ultimately able to score a win for the good guys. I hope you can join me during my presentation, “Unprecedented Cybercriminal Takedown: The Story of Operation Ghost Click” at the upcoming GovSec West event in Dallas, TX, on October 9th.

Share/Bookmark