Estonian man gets over 7 years in prison for role in global DNS hijacking botnet

Vladimir Tsastsin was one of seven individuals behind a $14 million click fraud operation that used the DNSChanger botnet

An Estonian man has been sentenced to seven years and three months in prison in the U.S. for his role in a cybercriminal operation that infected over 4 million computers with DNS hijacking malware.

Vladimir Tsastsin, 35, from Tartu, Estonia, was one of the key players in a US$14 million click fraud scheme. He is the sixth individual to be sentenced in the case and has received the longest prison sentence. The sentence was handed down Tuesday in U.S. District Court for the Southern District of New York.

According to the Department of Justice, between 2007 and 2011, Tsastsin and his co-conspirators set up companies that masqueraded as publisher networks and entered into agreements with advertising brokers to display ads on their properties.

In order to earn more money, the group artificially increased the number of user clicks and views for the ads they displayed by installing a malware program called DNS Changer on unsuspecting users' computers.

It's estimated that DNSChanger infected over 4 million computers worldwide, including 500,000 in the U.S., before its operation was shut down by the FBI.

As its name implies, the DNSChanger malware altered the computer's DNS (Domain Name System) settings, forcing them to use DNS resolvers run by the attackers.

The DNS is the Internet's phonebook, translating domain names into numerical Internet Protocol (IP) addresses that computers use to communicate. By controlling the DNS servers used by infected computers, the attackers could point users to other websites when they wanted to reach specific domain names. This capability was used to perform click fraud.

Tsastsin and his co-conspirators used DNSChanger to redirect users who clicked on links in search results to websites that they didn't intend to visit. They also replaced the advertisements that users should have normally seen on various websites with ads for which they were being paid.

While DNS hijacking was used for click fraud in this case, the technique is very powerful and can be used for more serious attacks against users, such as phishing.

For example, when asked for an online banking website's IP address, a rogue DNS server could respond with the address of a Web server hosting a rogue copy of the website. Despite this, the domain name showing up in the user's browser would be the correct one, making it hard to tell that a phishing attack was in progress.

This kind of attack happened in 2014 in Poland, but instead of using malware to change the DNS settings of individual computers, the attackers compromised home and small business routers and changed the DNS settings for entire networks.

Most computers and mobile devices are configured to automatically obtain their Internet connection settings from the router serving the network they're connected to. This makes routers an attractive target for DNS hijacking attacks.

Over the past several years security researchers have observed many large-scale attacks designed to change the DNS settings on routers, either by exploiting vulnerabilities in their firmware or by hijacking users' browsers when they visited compromised websites.

Router owners should periodically check their device manufacturer's website for firmware updates and install them, especially if they contain security fixes. They should also change the default administrator password on their routers and make sure to always log out from the router's management interfaces after accessing it through a browser.

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?