In November 2011 the Federal Bureau of Investigation (FBI), with the help of the Trend Micro Forward-looking Threat Researchers, conducted what was, at the time, the largest takedown in the history of online crime.
Known as “Operation Ghost Click,” by the FBI, more than a hundred servers belonging to the Esthost/Rove Digital group were taken offline. The group’s data centers in New York and Chicago were raided and more than 4 million victims were given over half a year to change over to non-malicious DNS servers.
Almost four years after the takedown, the leader of this particular cybercrime group, Vladimir Tsastsin, has pleaded guilty to various charges before a US federal magistrate. He now faces up to six years in a US federal penitentiary.
At its heart, the Esthost/Rove Digital scheme was a relatively simple one: plant DNS changer malware onto user systems and redirect queries for popular domains to malicious servers. This allowed the attackers to redirect the traffic aimed at these domains and carry out hard-to-detect but profitable attacks like hijacking search results and replacing website advertising. In addition to this, fake antivirus malware was also an important source of revenue for this organization.
The attackers favored these methods as they were relatively difficult to detect and could be sustained for a long time. However, the group’s activities were already something that Trend Micro was aware of as early as 2006; even then we were already keeping track of their activities.
In 2009, law enforcement agencies in Estonia and the United States began working with other organizations to help bring the activities of Esthost/Rove Digital to a halt; Trend Micro was the only antivirus company that joined this joint effort.
Our research paper The Rove Digital Takedown summarizes our knowledge of this group in a single document.
Our research on the takedown was an essential part of the case against Esthost/Rove Digital, and was indispensable to putting Tsastsin in jail.
Tsastsin, before his arrest
Six leaders of the scheme were arrested at the time of the takedown, including its mastermind Vladimir Tsastsin. It was not until late 2014 that he was extradited to the United States and formally charged. With his guilty plea, Tsastsin’s trial now moves on to sentencing. He faces up to six years in prison, with a sentence set to be handed down in October.
Time and the courts have caught up to Tsastsin. This highlights how Trend Micro is committed to working with law enforcement agencies from across the world to help stamp out cybercrime and make the world safer for users.
Our Forward-looking Threat Researchers, including Feike Hacquebord, who was a key part of this investigation, have worked side-by-side with law enforcement agencies across the world to help root our various cybercrime organizations.