FBI busts clickjacking ring, but could the crime have been prevented?
- By Kevin McCaney
- Nov 10, 2011
The massive clickjacking ring the Justice Department busted this week was the kind of criminal operation that Internet overseers and the government have been aiming to prevent by increasing security in the Internet’s Domain Name System.
But although the protocol that would authenticate DNS queries has made its way to significant parts of the Internet, the full deployment that would make it truly effective is still a ways off.
Justice on Nov. 9 arrested six people in Estonia and issued an indictment for a seventh in Russia on charges of running a clickjacking ring that infected 4 million computers in 100 countries and netted the defendants $14 million since it started operating in 2007, the FBI said.
Government's 'orphan websites' could be stalling .gov security
Internet security hits major milestone, as .com signs on
About 500,000 computers in the United States were infected, including some at government agencies such as NASA.
The alleged crime ring, operating under the company name Rove Digital and based in Estonia, made its money by using malware called DNSChanger to redirect searches for such sites as Netflix, Apple iTunes, the IRS or the Wall Street Journal to sites that paid the defendants for the traffic.
For example, the FBI said, someone clicking on a link to the iTunes store would be redirected to a sham site that purported to sell Apple software.
The DNSChanger malware changed DNS settings, routing traffic to rogue DNS servers the thieves had set up in Chicago and New York, which redirected users to malicious or unintended websites, the FBI said.
The ring was broken up after a two-year investigation, dubbed Operation Ghost Click, by the FBI along with NASA’s Office of Inspector General, the Estonian Police and Border Guard Board, the National High Tech Crime Unit of the Dutch National Police Agency, and a number of academic and private-sector contributors, the FBI said.
If you think your computer may have been compromised, the FBI offers detailed instructions on how you can check here, or you can ask the FBI to check it here.
The Domain Name System, which underpins Internet activity, translates website names such as gcn.com and e-mail addresses to numerical IP addresses so computers can communicate with one another. Concern about its security arose in 2008 after security researcher Dan Kaminsky discovered a vulnerability that would allow for cache poisoning and for Web requests to be misdirected.
Kaminsky helped engineer a patch, but it was only a temporary fix, and the drumbeat began for widespread deployment of DNS Security Extensions, a protocol that allows DNS queries and answers to be digitally signed and authenticated, guaranteeing the origin of DNS data, data integrity, and authenticated denial of existence for an address that cannot be found.
When fully deployed, DNSSEC would help prevent such malicious tactics as such as pharming, cache poisoning and DNS redirection.
DNSSEC has made steady, if slow, progress, being deployed on the root zones of top-level domains such as .com, .gov and .net as well as on the Internet’s authoritative root zone. But for it to work properly, it has to be deployed throughout the Internet’s domains, and that’s where it has run into hurdles.
The federal government, for instance, has pushed for DNSSEC deployment, with the Office of Management and Budget setting a deadline of December 2009 for deployment on all federal systems. But in July 2011, the General Services Administration said agencies had been stuck as 50 percent deployment for a year.
Among the problems agencies face are “orphan websites” that are outdated or have been abandoned, GSA’s .gov program manager said then, adding that a White House plan to consolidate websites and eliminate duplicative sites could help.
Kevin McCaney is a former editor of Defense Systems and GCN.