According to an FBI agent who participated in the operation, there was a level of complexity to this scheme that the Bureau has not encountered before. The seven suspects remotely used entities in the U.S. and around the world, to carry out the scheme. Among the entities used is an Estonia-based software company, Rove Digital, after which the group was named.
The type of malware used by the Rove group belongs to the class of DNS changers. When users of infected computers clicked a legitimate link, such as that for iTunes, they were redirected to rogue web sites that claimed to be selling Apple products. Additionally, the malware was used to replace legitimate advertisements on sites such as Amazon.com with fraudulent ones. This advertising scheme earned the thieves approximately $14 million. Netflix and IRS web sites were similarly affected.
Once installed, the malware prevented the installation of anti-virus programs that could remove it, consequently making the infected machines vulnerable to numerous other virus attacks.
Throughout the Operation Ghost Click, the FBI collaborated with NASA’s Office of Inspector General (OIG), the Estonian Police and Border Guard Board, National High Tech Crime Unit of the Dutch National Police Agency, Georgia Tech University, Internet Systems Consortium, Mandiant, National Cyber-Forensics and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, University of Alabama at Birmingham and an ad hoc group known as the DNS Changer Working Group (DCWG).
The U.S. will seek extradition of the six arrested Estonian nationals.