Digital Identity Blog

Thought leadership for cybersecurity, fraud and digital channel professionals

The Internet Goes Dark on March 8…And, Not a Mayan in Sight. Just Six Estonians and a Russian

By ThreatMetrix
ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches.
Follow ThreatMetrix ThreatMetrix's Most Recent Posts:

Another 2012 prediction of doom. Okay, more like gloom than doom. That’s because things are scheduled to go dark for thousands of Internet users on March 8. The reasons are real. The hyperbole about the event is like a hamburger that’s been left on the grill too long – overdone.

Okay, here’s the real story without the hype. Last November, working with other police agencies, the FBI shut down an Estonian Web traffic hijacking operation (Six Estonians, one Russian). The hackers, who went by the name of the Rove Group, used DNSChanger malware that worked by replacing DNS (Domain Name Services) servers defined on victims’ computers with servers operated by the hackers.

Using these computers, the gang stole $14 million in four years with a PPC (pay per click) ad scheme based on redirecting traffic and replacing genuine ads with their own.

Here’s how the scam worked. The Rove Group made PPC deals with Internet advertisers. They would be paid for generating traffic to the advertisers’ websites or online ads – a legitimate business. But, the Rove Group added a crooked wrinkle. They infected four million computers with malware that redirected those computers to target sites or online ads, thereby pumping up click results and bringing in lots of money.

As well as redirecting traffic, DNSChanger prevents infected computers from installing anti-virus software or operating system updates.

Worldwide, some four-million computers were infected including 500,000 in the United States at U.S. government agencies (e.g., NASA), educational institutions, non-profits and Fortune 500 companies as well as private individuals.

It turns out that “taking down the crime ring” may have been an easier task than taking down the rogue servers. The FBI explains, “One consequence of disabling the rogue DNS network is that victims who rely on the rogue DNS network for DNS service could lose access to DNS services. To address this, the FBI has worked with private sector technical experts to develop a plan for a private-sector, non-government entity to operate and maintain clean DNS servers for the infected victims. The FBI has also provided information to ISPs that can be used to redirect their users from the rogue DNS servers to the ISPs’ own legitimate servers. The FBI will support the operation of the clean DNS servers for four months [till March 8, 2012], allowing time for users, businesses, and other entities to identify and fix infected computers.”

ITPro reports half of all Fortune 500 companies remain infected and several major government agencies still have at least one infected machine. And, according to, “Computers still infected with DNSChanger are up against a countdown clock [and] may no longer be able to browse the Web.”

If worse comes to worse on March 8 and the Internet goes dark, the tried and true solution is, of course, reinstalling the operating system. It’s not fun, but it’s not “the end of the world.”

By ThreatMetrix Posted