Even as cybercops from a half-dozen countries analyze computer servers seized last week in a $2.7 million-per-month scam against online advertisers, analysts say they expect the fraudulent network to be up and running again soon.
The case, in which authorities helped Microsoft Inc. disable a 2 million-strong network of infected personal computers, highlights the scale and challenges of a type of fraud that didn’t exist 10 years ago. It also points to the growing role of private-sector “digilantes” in combating online organized criminal gangs with which law enforcement agencies struggle to keep up.
This “botnet,” as a network of infected computers is known, is dubbed “ZeroAccess,” after the particular malicious software package that infects machines to invisibly recruit them, all unbeknownst to their hapless owners.
But, despite the cybercops’ best efforts, ZeroAccess likely will return sooner rather than later.
“Because of the sophistication of the threat, Microsoft and its partners do not expect to fully eliminate the ZeroAccess botnet,” said Richard Domingues Boscovich, assistant general counsel of the Redmond, Wash.-based software giant’s new Digital Crimes Unit.
The unit worked the case with the FBI and law enforcement agencies from Germany, Latvia, Luxembourg, Switzerland and the Netherlands, coordinated through Europol’s European CyberCrime Center, known as EC3. Microsoft Corp. posted extensive documentation on the case, including technical analyses, video interviews with staff and court documents.
ZeroAccess is just one of thousands of botnets controlled by criminal individuals or gangs, many based in Russia and other former Soviet-bloc nations in Europe and Asia. Its 2 million-plus personal computers, mostly based in the U.S. and Western Europe, were surreptitiously infected over the past four years when their innocent owners visited a malicious website — in most cases probably as a result of clicking on a link in a spam email.
“That’s really, for want of a better word, the beauty of botnets,” Mr. Boscovich said. “They target innocent people with this malicious [computer] code, and many times [the victim] has no idea their computer has been enlisted into a zombie army.”
Botnets can be used to send spam email or conduct denial of service attacks to knock targeted websites offline. But the ZeroAccess botnet directed its infected computers to repeatedly visit special websites the crooks had set up, and click repeatedly on advertisements hosted there.
The fraud is lucrative because advertisers pay “by the click” — meaning for each website visitor who clicks on an advertisement. Although each click nets only a fraction of a cent, the dollars quickly mount up, according to court documents, which allege the gang netted $2.7 million a month.
The fraud is also attractive because it is hard to trace. Much digital advertising is automated, packaged and traded by middlemen, making the eventual destination of revenues difficult to track, according to security experts.
Spending on Web advertising in the U.S. is growing 15 percent this year, to a new $40 billion-plus annual high, according to industry analysts. Mr. Boscovich said, by some estimates, between 25 percent and 40 percent of that amount was being stolen by click-fraud.
“So it’s billions a year,” he said.
ZeroAccess is not the first botnet that Microsoft has confronted. Rather, it is the eighth time the company has deployed a combination of civil and criminal legal action with technical forensics and police action against such a criminal enterprise.
Like the others, the ZeroAccess case resulted in the takedown of a command-and-control structure for the botnet. Police in five European countries served warrants and seized computer servers that hosted 18 Internet addresses which the crooks used to program the botnet, moving the targets of its fraudulent ad-clicking around to hide the crime.
Against past botnet targets, that might have been all that was required to permanently cripple the network. With their command-and-control structure gone, the infected computers had nowhere to look for new instructions, and the shadowy masterminds behind the crime had no way to control their computer-slave army.
But ZeroAccess is different. It uses so-called “peer-to-peer” updating.
Instead of looking to a central point for instructions, each infected machine looks to its fellows, automatically receiving updated software and targeting information, and in turn passing it on to other infected machines so that the whole network gradually updates itself.
• Shaun Waterman can be reached at swaterman@washingtontimes.com.
Please read our comment policy before commenting.