U.S. Attorney Preet Bharara called it a “massive and sophisticated scheme.”

The fraud was perpetrated by seven individuals, all of whom the U.S. is trying to get extradited. Six of the seven are Estonian nationals and have been taken into custody. The seventh is a Russian national and he remains at large.

Here’s how the scheme worked:

Malware installed to millions of computers allowed the perpetrators to manipulate online searches in order to redirect clicks to certain sites and ads. They used these falsely-acquired clicks to generate ad revenue.

Some examples of this included links to Apple’s iTunes, Netflix, and even the IRS being redirected to unrelated sites.

The malware also interfered with the computers’ anti-virus software, making the intrusion even harder to identify.

As alleged in the Indictment, from 2007 until October 2011, the defendants controlled and operated various companies that masqueraded as legitimate publisher networks (the “Publisher Networks”) in the Internet advertising industry. The Publisher Networks entered into agreements with ad brokers under which they were paid based on the number of times that Internet users clicked on the links for certain websites or advertisements, or based on the number of times that certain advertisements were displayed on certain websites.

Thus, the more traffic to the advertisers’ websites and display ads, the more money the defendants earned under their agreements with the ad brokers. As alleged in the Indictment, the defendants fraudulently increased the traffic to the websites and advertisements that would earn them money. They accomplished this by making it appear to advertisers that the Internet traffic came from legitimate clicks and ad displays on the defendants’ Publisher Networks when, in actuality, it had not.

It’s shocking to see that the scheme apparently went on for more than 4 years.

The schemers also operated ad-replacement fraud, replacing certain ads on websites with their own. For instance, the infected computers that visited the Wall Street Journal site saw ads for “Fashion Girl LA” as opposed to what should have been there – an ad for the American Express “Plum Card.”

More than 500,000 of the computers that were hit came from the U.S. And we’re not just talking about personal systems – but systems from within U.S. government agencies like NASA as well as colleges & universities and non-profits.

The suspects face 27 charges, including wire fraud and computer intrusion.

The FBI wants to hear from you if you think your computer might have been involved in this scheme. They say standard, up-to-date antivirus software should be able to detect the malware.

"It is disconcerting to see what in concept is a very informed audience knowingly rolling the dice when it comes to staying secure on line – it is an important indicator of the practices of general consumers," said Siobhan MacDermott, head of global communications and investor relations with AVG. "If the informed press is exposed, then even more so is the home user that is not as savvy at detecting or protecting against the latest scam."

"The value of the research is not that it exposes journalists, but rather it gives us great insight to how our more knowledgeable users are, or are not, protecting themselves," said MacDermott. "This tells the security community that we have a great deal of work to do as users are not doing many of the basics."

Here are some highlights from the poll:

- More than half don’t change their passwords, or rely on their company to do it for them, even though 13 percent have experienced critical data loss or system failure due to malware to their systems.

- 80 percent of media staff rarely or never inform their network administrator of online security concerns they encounter.

- 36 percent use Wi-Fi networks most of the time, potentially endangering them to security risks associated with public networks

- 90 percent of them use some sort of social networking site, with LinkedIn (75 percent) the most popular site followed by Facebook (70 percent) and Twitter (51 percent).

-  20 percent access social networking sites both from their mobile phone and their computer

"Clearly, we’ve got to do a better job as a security community in shifting the mentality of our users from one that is dependent on the system to keep them safe to one that takes personal accountability and understands their role in the security continuum," said MacDermott. "Users have to understand they are a vital piece of [the] equation and that they have a great deal of ownership in shoring up their cyberspaces."

According to AVG, over 40,000 new viruses and malware arrive in virus labs around the world every day. Many of these are documented in the media. 

What to Look For

Like most viruses, this one relies on deceit, and tries to get users to download it using a non-existent video as bait. David Sarno at the LA Times explains:

The virus’ most insidious property is that users receive the offending message from a friend: On Facebook, only people whom users have explicitly approved as friends can send them e-mails.

The Koobface e-mails have a subject like "You look so amazing funny on our new video," and contain a link to a YouTube-like video site that appears to contain a movie clip (see image).  The video, however, doesn’t play, and the website then asks the user to update his or her video software by downloading a file. It’s that file that contains the malicious code.

McAfee provides more information about Koobface and shows a screenshot of a possible page that users could land on to get to it:

What it Does

"As part of their malicious payload, the worms transform victim machines into zombie computers to form botnets," said security firm Kaspersky Lab when it reported on two variants of Koobface back in July. One variant targeted Facebook, while the other targeted MySpace.

Facebook’s security page says, "We’re currently helping our users with the recently discovered "Koobface" worm and phishing sites. If your account has recently been used to send spam, please visit one of the online antivirus scanners from the Helpful Links list, and reset your password here." The links list is as follows:

The worm must be affecting a lot of people now to make its way though the news so much all of a sudden. It’s been around for months, yet we haven’t heard much about it until now. Facebook users who have accounts that have been in jeopardy have been receiving emails about how to proceed.

The ad, which according to the screenshot at security company Sophos blog achieved top placement for the keyword phrase “Obama win,” clicked out to a “rogue” site and a download prompt for an installer that is “100% checked by Antivirus.”

Despite that vague reassurance, downloading launches a PDF file to exploit an Acrobat Reader flaw and deliver a virus labeled Mal/PDFEx-B.

Hopefully nobody was click-happy enough to click that “Download now” button, especially since neither the paid ad nor the site it led to actually ever said what the user would be downloading. All the AdWords ad said was “Download Now” and Instant Download Download Now and Save Time.”

The text lets the reader assume what it would be related to “Obama win,” and imagine how much time they’ll save downloading whatever it is.  

Sophos says the ad has been removed since that sighting.
 

Consumers also report significant worry that their privacy might be invaded by programs that track and record which Internet sites they visit.

The majority (74%) of those surveyed said they were "very concerned," about identity theft, compared to 68 percent who indicated great worry about identity theft in a similar ACI survey from 2006.

The number who said they were very concerned about viruses increased from 61 percent in 2006 to 70 percent and concern about spam rose from 51 percent to 56 percent from two years ago.

The survey of 648 households with Internet included three new questions compared to the survey conducted in 2006. The new questions revealed that privacy is a greater concern than spam, with 61 percent of those polled reporting "great concern" that their privacy is at risk because of online tracking programs.

One half of those surveyed reported significant concerns about unwanted online advertisements, and 45 percent said they were very worried about spyware.

"The survey shows that consumers draw a distinction between threats that can cause serious problems and those that come under the heading of annoyances," ACI president Steve Pociask says. 

"Identity theft and computer viruses can be extremely disruptive and it’s not surprising that they top consumer concerns.  However, consumer concerns about privacy, online safety and the handing of personal information suggest that some online providers are not doing enough to tell consumers what information is being collected, how long it will be kept and how will it be used, or, for that matter, whether consumers can opt out of its collection altogether."  
 
 

Researchers at security software maker Exploit Prevention Labs have uncovered evidence that malware distributors are using Google AdWords to infect computers.

Exploit’s CTO, Roger Thompson said his team discovered many AdWords ads posing as legitimate ads, but then redirecting to more sinister content. He blames Google’s model of taking money first and asking questions later.

“Google says they are doing the best that they can, but their business model is to take as much money as they can for advertisements. No matter how much due diligence they do, it’s a difficult position to be in, but clearly they are not doing enough,” Thompson said.

“If they don’t do a better job of vetting their customers, we will see this sort of thing happening again and again.”

Google’s response?

Google said it had canceled the affected advertisements after it was informed of the situation. “We actively work to detect and remove sites that serve malware to our users both in our ad network and in our search results,” the company said.

Before we all freak out, and vow never to click an ad again, just remember that these are mostly isolated incidents and hyped a little by a company that sells virus protection software for a living.

Comments

Fortinet described how a phishing site called Pharmacy Express has a couple of illicit connections to Google. First, their spam includes a link that appears to go to Blogspot, which is Google’s domain for blogs hosted on the blogger service.

They also noted another trick used by the criminals behind Pharmacy Express:

The site is able to bypass a few automated malicious Web analysis tools by inserting “Google.com” as a keyword in its HTML search code. It also downloads a 1×1 pixel image to track the browser information, such as, IP address, browser type and version, etc. While the Pharmacy Express site is hosted in China, the 1×1 pixel image is hosted on a site registered in the United States.

Also, Fortinet found an actual Blogger site loaded with malicious code. The site, created to look like a Honda CR450 enthusiast page, delivers a Trojan to visitors. Fortinet also discovered topics like Star Wars and girlfriends linked to other Blogger sites hosting malicious code.

Scripts for a mass mailing variant of the Stration worm have been found to be responsible for churning out emails that send people to these hostile sites. Deleting suspicious messages will help reduce one’s chance of ending up with an infected system.

Don’t Buy Replica Watches From Spammers: The guy with the overcoat loaded with ‘discounted’ Rolexes, Hermes, Cartier, and other luxury brand watches has moved his scams to the web; the destination of his overcoat is unknown and probably best left unexplored.

Kelly Conley at Symantec described how replica watch spam has been hitting inboxes in very high volumes. Conley noted how a hijack attempt used by the spammer accompanies these junk messages:

The body is often a legitimate-looking message such as a newsletter, which (at the end or beginning) contains a URL to a Web site selling replica watches. The headers look like spam with the "from" and/or "subject" lines consisting of spam content. This should be a flag that lets the end user know that the message contained within is spam.

In a complete coincidence, I received one of these spams just after submitting this article. People can do themselves a favor by not giving these spammers the time of day.

“This continued rise in spam levels is threatening the viability of e-mail for businesses that are not properly protected, and is sapping the productivity of hundreds of millions of workers around the world,” said Daniel Druker of Postini. “Just fifteen minutes per day dealing with the increased volume of spam can cost companies $3,200 per employee per year, which adds up to tens of billions of dollars of lost productivity around the world.”

Most of the increased volume of spam in 2007 will come from bot-nets. These are networks of personal computers that spammers use to flood the Internet with spam and viruses. Bot-nets enable spammers to send an unlimited amount of spam for free by using millions of infected personal computers and network connections to send the unwanted messages.

Postini predicts there will be an increase in spam in 2007. Because of globalization more personal computers with high-speed Internet connections could be prime targets for spammers.

In December hackers released a large social-engineering based email virus known as the Happy New Year worm. The massive attack increased the daily volume of email viruses on the Internet by a factor of twenty on New Year’s weekend.

The top five viruses for December according to Postni were nuwar, netsky, stration.gen, downloader and mytob.

Add to Del.icio.us | Digg | Reddit | Furl

Mike is a staff writer for WebProNews. Visit WebProNews for the latest ebusiness news.

Melanie R. Rieback, Patrick N. D. Simpson, Bruno Crispo, and Andrew S. Tanenbaum have published a paper called “RFID Viruses and Worms.” In it, they reveal some disturbing information. “Up until now, everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software, and certainly not in a malicious way. Unfortunately, they are wrong.

“In our research, we have discovered that if certain vulnerabilities exist in the RFID software, an RFID tag can be (intentionally) infected with a virus and this virus can infect the backend database used by the RFID software. From there it can be easily spread to other RFID tags.” The paper goes over three possible scenarios in which this could be exploited in a harmful fashion.

It also details how to create such worms and viruses. This isn’t quite as bad as it sounds, the group explains. “When talking to people in charge of RFID systems, they often dismiss security concerns as academic, unrealistic, and unworthy of spending any money on countering, as these threats are merely theoretical.’ By making code for RFID malware‘ publicly available, we hope to convince them that the problem is serious and had better be dealt with, and fast.”

Let’s hope this full disclosure works to the public’s advantage.

Add to | DiggThis | Yahoo! My Web

Technorati:

Doug is a staff writer for WebProNews. Visit WebProNews for the latest eBusiness news.

I could safely browse the internet without worrying about what might pop-up, or what the next site I visit may do to my computer.

Today, viruses and spyware have made many internet users skeptical of websites that add something to their computer. While it’s important to be aware of these additions, user fears can make tracking site customer behavior much more difficult. Webmasters want to track as much information about their customers’ habits as possible without invading privacy. This can be done with the use of HTTP cookies.

To date, setting user cookies is the most search engine friendly method for tracking user behavior without treading all over privacy. Cookies are neither a virus or spyware; they are simple pieces of data that are harmless to a user’s computer system. However, public fears of computer viruses and spyware has led to misconceptions about cookies. As with anything, a little education can go a long way.

Most internet users today still don’t realize the importance of using antivirus software or that it needs to be updated. In a past job, I spent at least 75% of my time removing spyware from my customers’ computers. It started with annoying pop-up ads seemingly out of nowhere. Then it kept their computer from booting, made it run slow, or blocked them altogether from getting on the Internet. When they forked out cash to have their system cleaned up, they always acknowledged the fact that they should have had antivirus software installed.

Here’s where the self-education comes in handy. Microsoft provides ongoing info about Windows security updates and PC Magazine offers comprehensive antivirus software reviews. So before you start deleting everything in your Temporary Internet Files folder, find a source you can trust for information about protecting yourself online.

I don’t know of any, but maybe a listing of web sites known for producing spyware would also be helpful. Of course a third party would need to verify before a site was added to the list. But this could help remove the offending sites from search engine indexes, in effect making the sites harder to find.

Oneupweb is the only two-time winner of the ClickZ award for “Best Search Engine Engine Marketing Firm”. StraightUpSearchs blog authors include experts from Oneupwebs natural SEO, pay-per-click campaign management, research, marketing, design, and sales departments.