TechStuff Classic: TechStuff Investigates Operation Ghost Click

classic episode. This episode originally published on May two thousand twelve, and my former co host and editor Chris Pallette and I sat down to talk about operation ghost Click and domain name servers and this issue that was going on at the time, and I think it's pretty fascinating. It also gives you an idea of how d n S works. So I hope you enjoy this classic episode. To get there, you follow Highway fifty eight going northeast out of the city, and it is a good highway and new all right,

we're talking about numbers today, yes we are. We're talking about getting to where you're going and getting diverted along the way. So, as of the recording of this podcast, which is in April, there is a story that's actually not a news story necessarily. It first started to kind of make the news way back in November of but it's kind of sort of bubbled up and It's an operation that the FBI, the Federal Bureau of Investigations, has headed up, and it all involves hacking into the Internet

and uh and and messing around with Internet traffic. It's called Operation Ghost Click. That's a nice name. I always love hearing the operation names. It is a wacky doctors game. So, um, I think first, before we get into too much detail, we should probably talk about how internet traffic works. We've mentioned that on the podcast on a handful of occasions.

I think when in fact we got into the domain name system DNS system or sorry that was redundant, the d N s uh no servers um well are both because DNS can can mean both, but right, right, right,

So yeah, we talked about it before. And basically every website has a is um as an address, a physical address, well physical address on on a hard drive, a physical hard drive somewhere, and these numbers, there are are four sets of numbers separated by periods, and that address is unique to that UM space on that physical hard drive somewhere. And so if you typed in UM h T T P colon slash slash and these this number, you will

get to a website. Of course, that's very inconvenient because then you neither have to write down these numbers or bookmark them, or you know, you have to have some sort of weird total recall thing going on where you can just easily remember any series of numbers, which would would would make you incredibly useful, but it would also make you very rare. Most of us, most of us are just not It's not something humans are particularly good at doing on average. So that is what kind of

gave rise to the idea of having this domain name system. Yes, now, domain name system, what it does is it allows you to create a domain name as in words that correspond to whatever your site is, and then that itself is mapped to this series of numbers, this i P address right, the i P being Internet protocols UM, which is the the language that gets uh, you know, you from one place to another on the Internet, regardless of whether you're using a Windows machine, Mac or Linux or mobile thing.

It gets you to the same place. And what allows you to type in how stuff works dot com and get to our website. Yes, so if you were to type how stuff works dot com, what have is that request? You know, you know, what you're essentially doing is you're telling your browser, I want access to this particular website.

Your browser sends this message along up a chain of command, and uh, you know, it has to go out to the right computer that has the website living on it and retrieve that so that you get an instance of it back at your machine. In order to do that, it has to first map that one needs to have is the name that you're typing. It has to be mapped to that physical machine, that physical drive. Uh, and

it does this by going through domain name servers. A domain name server is essentially like think of it kind of like a phone book. Yeah, so that all the different u r l s you could type in are indexed against these number numerical addresses. And then that way, once you type in the u r L, it looks for the corresponding numeric address, owls information from that that particular source, and then serves it back to you so that you get what you asked for. Well that you

asked for it, you got it anyway. So, um, the whole deal here is that you are going to get the right information. Yeah, assuming that everything's working correctly, and occasionally stuff messes up. There might be uh, the computer that hosts, the site might be down, in which case you're going to get something like a four or four error because the Internet is not going to be able to find the file that you've requested. We're very sorry. The Internet is broken. The elders of the Internet called

and they said, no more Internet for you. But most of the time it's gonna work just fine. However, what happened in the case of Operation ghost Click is that, uh, the FBI discovered there were some people who had created some rogue DNS servers. So, in other words, these get these folks, six Estonian nationals, according to the FBI, um got together and created these servers that acted just as

a domain named server would. So in other words, it had a collection of u r l s and index of u r l s and an index of addresses numeric addresses. So it was like a fake phone book,

right Exactly. Some of the entries in this fake phone book went to different phone numbers, so instead literally yeah, but we're we're sticking with the analogy, sticking with that analogy, just making so instead of the official phone number for a particular website, you would get a fake one, and it would in other words, that you would go to a fake numeric address for a real site. So you might type in the address perfect in your u r L bar. Right, So let's take a random example. Let's

just say Yahoo. So you do www dot Yahoo dot com. You hit enter. Now, normally, in a regular DNS server, it would look up that you are L, look to see what the numeric address is for that you are L, send that information out, retrieve the website, and serve it up to you. A rogue DNS server would look up that u r L, look at the numeric address that was created for that u r L, But it isn't actually the address for Yahoo. It's an address for something else,

and it serves that up to you. Now, why would anyone do this? There are a couple of different reasons. Now, in the case of the Estonians, and they were doing something I think that was kind of uh deviously clever. They were doing this in order to reroute traffic to break in advertising money. So in other words, what they wanted to do was the way advertising on the Internet works in general is that you get paid for a certain number of views of the ad. It's called impressions.

The number of impressions and ad gets that translates to money. And if you get lots and lots and lots of impressions, you get lots of money. Um. Then in general a single impression is worth a fraction of assent. Yeah, but if you can say, hey, you know, I can promise you that five million people are going to say your ad, then you can command a good price for your services. Right, So, very popular websites can tend to charge more than sites

that don't get a lot of traffic. Makes makes sense. Right. Let's say that you have a billboard next to a busy highway. The price for that billboard to to to put it out on that billboard's probably gonna be higher than a billboard that's next to a rural road that doesn't get a lot of traffic. So anyway, the same

sort of logic applies on on the web. So what these guys were doing, I say guys, what these Estonians were doing because I don't know their gender, Uh, they were they were using these rogue DNS servers to reroute traffic to go to different websites and that had specific ads on them that the Estonians were administering, and then they were pulling in the money. So they were redirecting traffic.

It's like putting in a detour in your route. And so you're going down your normal route to get to wherever you're going, and you see a sign that says, oh, nope, the road is out. Up ahead, take a right instead of going straight, and you will go through a different route. And along that route you decided to stop and eat. And normally you would stop and eat at your favorite restaurant, but you can't get to that one because it's on

the road that's been closed. So you go to this other restaurant and it all turns out that it was employed by the other restaurant in the first place. They put that detour sign up because they wanted to get some more foot traffic or some more some more diners to come in. That was the general plan. Now, the question is how do you get that rogue DNS server to get in the line of traffic so that people

will visit it in the first place. Yeah, because if you're typing in an address that you already know, say Discovery dot com, you should theoretically be routed to the right place. As long as your computer is configured correctly and the Internet is working. The way it's supposed to. I mean, what are they gonna do. Are they gonna go in and kick out the legitimate DNS machine and

replace it. No, it was very clever. They created a kind of malware and the malware is essentially called d n s changer, and so DNS changer would change the DNS settings on your computer or other device or even router, which was particularly nasty because if it changed on the router, then any device that connects through that router would be affected. Also, it's unlikely that you're going to have anti virus software on your router, although you might on your computer now.

The way that they did this with the router was the easiest way, and it's the easiest way for someone to prevent it from happening to them. The way that worked on the router was that they just ended up using a list of generic user and names and passwords that are that tend to be um UH administered over

various routers. So you pick pick a router, like whatever router you you happen to use, that router tends to have a standard user name and standard password that you are supposed to change once you install it into your home network. But a lot of people never get around to doing that. They install the the the router and then they don't bother changing the user name and password, which means that anyone who knows what the standard user name and password is for that brand of router could

get access to that network. That's what they were doing in this case. But in order to change the computers themselves, not the router, what they had to do was convince people to download some malware and execute that. Now, social engineering, yeah, lots of different ways of doing that. You know. There's the very standard way where they include some uh they put on on a website that you might encounter, or a little pop up that says, hey, your antivirus software

is out of date. Install this and we will scan your computer for viruses and free, yeah, for free. And in fact it really is a virus itself that installs to your computer. You know, you think you are trying to head off some sort of malware and in fact you're actually installing malware to your computer at the time, or it can be through email attachments, you know, all the standard ways that malware propagates across the web. Any of that would work to get this this particular kind

of malware onto your machine. Once you installed it, whether it was through a trojan program or whatever, it would go and reset the DNS settings on your computer, and it would direct your computer to go to these rogue DNS servers as opposed to your Internet Service providers DNS servers, because h I SP has its own right that passes the information up along the chain of command, so you

would bypass your I s P S servers. You would go to these rogue servers, and then you would be directed to whatever website they wanted to direct YouTube for any particular u r L. For some u r l s, you might just get the regular website you you're sent along and nothing bad happens. For other u r l s, you might be directed to a site that looks very similar to the one you wanted, but something isn't quite right, and it tends that again, they were just doing it

for the advertising money. The scary thing is they could have done this for any other reason and actually tried to steal stuff directly from the user. Now in this case, that doesn't seem to be what they were up to. They were up to just redirecting that traffic. So you might think, well, that's annoying. I mean, I'm not going to get to the website I want to go to unless I type in the actual uh numeric address physically,

then I would go to it. But Uh, while it's annoying that I wouldn't go to the site that I wanted to go to, at least they're not stealing from me. But they could have. They could have directed things so that you would go to dummy websites that look similar to official ones and put in a system where you type in your user name and password and they would log it. They could have logged it, they didn't. They could have logged that information, thus getting access to various

accounts across the Internet. They could have gotten access to email accounts, bank accounts, you know, any other sort of anything that would require authorization. They could have done that. Uh, And what would probably have happened is that you would have logged in. Let's say that you try to go to your banks online banking site and you might get a site that looks very much like your banks site.

In fact, it might even look almost identical. Um, the address might look a little hinky, but if you were the type of you use the name and password. Likely you would get a response saying, oh, sites down for maintenance. But what's really happened is that that information has been

logged by hackers. That could have happened, or they could have directed you to a site where you would have been encouraged to download even more malware, perhaps a back door access programs that you are your computer would become part of a bot net or any other kind of of hacking tool. It's it's really the options are pretty much unlimited. Now. In this case, again it was just to redirect traffic. However, there were some other problems that

would happen if you were affected by this virus. You might not you know, you might not have anyone stealing from your bank account or anything. But one of the things the virus does, which is pretty much standard operating procedure for viruses, is it turned off the features on your operating system and your anti virus from updating so that you wouldn't be able to get the latest security patches that would prevent this this UH program from working.

So first step pretty much of any malware is let's disable the stuff that can turn this off. So anything that would automatically turn the the malware off was disabled. So that's a problem because it means that even if you aren't being actively preyed upon by these particular hackers, uh, future attacks could hit you much more easily because you are no longer protected, which is pretty bad. That's what

we call a bad thing and Internet security. And there were about what four million people around the world and about a hundred countries that were affected by this, and then thousand in the United States. And it wasn't just uh, you know, citizen users, it was also businesses, government, government computers. UM. I think there were even like a couple of computers over at NASA that were affected to this. And uh.

And the good news that we have is that the FBI arrested these six Estonian nationals that were identified as being part of this running actually running this ring. Yeah, they were going to try to have them extraditedto the United States. Yeah. And they've also taken over the rogue DNS servers they have identified as being part of this, and those rogue DNS servers are now acting like legitimate DNS servers, which is great. That means that as a user, when you try to visit a website, you should get

what you're supposed to get. However, there's a problem because your computers still have if you're affected, your computer still is directing you to the wrong set of servers. You're still getting the right result, but you're going and you're not going to the regular chain of command that you should go to. And the FBI is not going to be running these servers forever, and in fact, in in July,

they're going to turn them off. And once those turn off, if your computer is being directed to those DNS servers, you may not have any more Web access, at least not through typing in a normal U r L, because your computer is going to try and go through a pathway that doesn't exist anymore. Chris and I have more to say about Operation Ghost Click, but before we get there,

let's take a quick break to thank our spawn, sir. So, the important thing to do is to determine whether or not your computer has this infection, and if it does have the infection, to clear it up. And uh, it's the first one is easier than the second one. The FBI actually set up a website designed to help you identify whether or not you have been affected. Yes, um, you can go to the FBI's website and follow the links to find out about whether or not your computer

has this problem. And there's actually a couple different ways of doing it. There's they've they've set up a u r L where what it does is it pings a server and if it gets a positive result saying that you're fine, uh, you get a screen that has this big green icon on it and says you're good. Um. If you're not fine, you get a big red icon which says this is saying that you're you know, it's

going through one of the rogue DNS servers. They've also identified a range of the IP addresses that you know. You can check your DNS settings on your computer yourself. If you're using a Windows machine, you go to a run command and you type an IP configured slash all uh, and then that'll pull up your DNS settings and you can see what the what the numeric address is for the server that you go to, and if it falls within the range that's been identified by the FBI, you

know that your DNS settings are wrong. Clearing this up and getting rid of the malware is a little tricky. Uh. The easiest way I can think of to do it if I were doing it myself. Is going to a computer that I know has not been affected and downloading the latest antivirus software I can find and putting Most of them have an option where you can put a

version of that onto a thumb drive. Do that, then take the thumb drive over to the infective machine and booted into safe mode, and load up the anti virus software from the thumb drive, and that should be able. Depending upon the anti virus software, it should be able to scan it and remove it. Um. The FBI also points to several web assets that can help you if your computer does appear to be one of the ones that infected, and those may work very well for you.

I tend to go with the anti virus approach whenever I can. UM it just I don't know, I don't know it is. I just have a preference for that as opposed to going like a web based route. Yeah. Yeah, um, but it is. It is fairly easy to uh to get rid of the problem in this case. It's not like some of the others where you have to UH reformat your hard drive to get it back. Yeah. I mean, there's there's something depending on how tech savvy you are,

it's pretty easy. If you're not terribly tech savvy, it maybe it may be worth it to take it to a computer professional to have them scan it and remove it and take care of it for you, because the more you mess with your computer settings, the more you may inadvertently cause some problems that can turn your machine into a nightmare. Um and and sometimes depending on the malware, like if you've had this on your computer for a while, that might not be the only malware that's affecting you.

You might have other problems, in which case, uh, you know, a simple scan and remove may not be enough. In a worst case scenario, you might have to do something like wipe your computer and reinstall the operating system, in which case the first thing you want to do is back up as much of your data as you possibly can and then you do the wipe. But that even that is I mean, that's that's like a worst case scenario type of thing, and hopefully none of our listeners

are in that well. First of all, hopefully none of our listeners have been affected by this malware, but if they have, hopefully it's not so severe. Letting they don't have other forms of malware that they can't you know, uh,

take care of it themselves. Yeah. Um, and of course it's always a good idea to back up your hard drive on a regular basis anyway, just to make sure they always back up your hard drive to h to make sure that you have a version of your operating system uh installed on there that you can go back to that you know is not infected at least hopefully. Yeah.

But that's that's that's pretty impressive. I mean, the FBI has really been promoting the fact that they they had this success in taking down or apparent success I should say, and taking down this uh this ring, this ring, because um, you know this is this is pretty significant. They took away traffic from uh legitimate websites in addition to making

money for themselves with the the alternate fake websites. Um. And it does expose the fact that most people are are you know, still having to to think about what they do because they they may very well be letting somebody in. It could have been a lot worse than

it was. Yeah, exploiting the DNS system, which again I know, redundant, a t M machine, uh, exploiting that pin number, Um, it was pretty ingenious, you know, Essentially, it just shows that understanding how the Internet works and building this parallel system that exploits the way Internet works was very clever. Now, of course, it's still depended upon user behavior to work, because if no one had downloaded the malware, if no one had installed the malware, it wouldn't have um nothing

would have happened. You would have had these DNS, these rogue DNS servers that would be online and would be ready to redirect traffic to wherever they wanted it to go. But if no one downloaded the malware, the traffic would

never have been redirected. So really, the other lesson to take away from this is just practice good Internet security rules of thumb, things like don't open strange attachments from you know, in random emails, make sure you ask people if they've sent you an attachment, asked them like, did

you really send this to me? Because sometimes people their email address gets compromised and they randomly start sending out files to people, often in uncharacteristically uh worded ways, Like you might read a message and think, either my friend is taking a terrible fall and decided to email me immediately afterward, or is under the influence of some powerful alcohol or you know, it just doesn't make any sense. Like you read it and you're like, this doesn't sound

like Chris. Chris never emails me in all caps with lots of letters missing. Um, you know, send this to everyone you know. Um, Bill Gates will give you twenty five cents for every email that you've forard anyway, don't don't open those email attachments. Yeah, and you know what I recently realized. Um, every once in a while, I find a story that I want to send to somebody, and I've I've realized that I was sending it. I'd say, hey, I just saw this, you should check it out. You

know what. That sounds just like something a spam or would writ right, So I try to make it a little more personally personal so that the well, for one thing, the spam filter will on a lot of these uh uh services will we'll pull it right out of there if you if it's something that that minimal. So if it fits that pattern of hey I saw this, check it out, and then yeah, it can fall into the spam filter pretty easily. Also, And it doesn't just go

with attachments like I mean, or links. There are links, plenty of links are problems, but think about gosh, I've seen this so many times on Facebook. Click jacking on Facebook. We're in the home stretch for Operation Click. But before we click on any more ghosts, we're gonna take a quick break to thank our sponsor. So if you've ever gone, I'm sure most of you have. Anyone who's had a Facebook account long enough has seen this happen with their friends.

You'll look and there'll be some video link. You know, it'll say. It won't be an embedded video, so it's not something that plays within Facebook, but you'll see like a link to some incredible video and it usually has to do with either violence or sex. Those tend to be the two big ones. Yeah. Yeah, you go for those base instincts that we humans have and uh and you get a lot of results, which is kind of

a sad commentary, but that's a different podcast. Anyway, there's a you know, you'll you'll see this link And I saw one recently and immediately I was like, my red flag went up as soon as I thought. First of all, I was like, this doesn't seem like the kind of thing this person would have shared, Like they might have clicked on a link but it doesn't seem like something

they would have themselves shared. And it was a supposedly a video about Justin Bieber being stabbed at a concert, and as soon as I saw it, I thought, uh, this has click clickjacking written all over it, And immediately I went to one of my favorite references for this sort of thing, snopes dot com. So Snopes is all about urban legends, but they also look at things like

internet hoaxes and and click jacking. And I did a quick search and sure enough, this is something that's been around for a while, and it just it's just like a lot of other clickjacking. It has these cycles that goes through where you'll have an initial pop up of this and then it dies down, and then it'll pop up again, and I'll do that three or four times.

Current events are often yeah, and I mean it's it's you'll find some of these that are that have lasted for years that basically they don't necessarily you have to be about Justin Bieber, for example, that maybe the uh the click jack to jure, Yeah exactly, or you know, five years ago it could have been about for example, Britney Spear. Yeah, that would be a very popular one and Jennifer Anniston or somebody somebody that's in the news

right that moment. Yeah, and it tends to be like or or it'll be like this this this news anchor had an embarrassing moment on the news. Click to find out that sort of stuff. And what happens is if you do click that, you'll get a message that essentially says usually something like, uh, your your you need to install this extension or you need to install this video player in order to watch this video. And if you allow it, then it gets access to things like your

Facebook feed and as well as possibly other stuff. It may involve other, you know, kinds of malware, but in general, you've seen see this get propagated across Facebook where someone who has fallen from the trick agrees to it, and then it continues to go across Facebook because it starts to use that person's feed. So whenever I see one

of these, here's what I do, guys. I immediately, you know, I see something that that raises a red flag like that, first way I do is I do a search on on Google for whatever the video supposedly shows, because nine times out of ten, it's just completely made up, and you can usually find up I find an article written on it, or it'll be on Snopes or something like that where I'll say, you know, this new Facebook scam

is going around, so watch out for it. Once I have confirmed that it's a scam, I go back to Facebook and I comment on the entry and I say, Hey, it looks like this is a clickjacking attempt. You may want to go and and change your Facebook password and delete this post because by deleting the post, you're going to help remove that that step for other people to fall victim to that same problem. So I that fairly regularly because I've got a lot of friends on Facebook,

and this sort of thing can happen to anyone. It's uh and it's not necessarily something that's that's sort of either appealing to violence or sex. Sometimes it's something that's just interesting and it has nothing to do with any of those uh uh kind of more base subject matter. And also, I mean in general, when there's a link in Facebook, if it's a link in Facebook, I tend to go to Google anyway and try and get to that link without going through Facebook, because you never know

when it's a clickjacking attempt. If it's an embedded video within Facebook, like a YouTube video that's been embedded in Facebook something like that, I'm all right with that. I'll watch it that way. But for links, I tend to go outside of Facebook to do it, just to be on the safe side, which I'm sure Facebook hates. That's not what Facebook wants to hear. But until they want to track you, right, until there's better security around that so that I'm not throwing caution to the wind and

infecting my computer, I just I can't justify it. So that's just my own personal approach. Guys. I'm sure all of you probably have your own sort of way of dealing with this and avoiding problems, but it's always something that's good to keep in mind. Uh and UM. Anyway, So if you guys, suspect that you might have this DNS change your malware on your computer, go to the FBI's website. Use their tool first of all to see if you get a result back. If you don't get

a result back, you're probably okay, not necessarily okay. You can pull up that list of addresses that do map to these rogue servers and go through your computer settings and confirm it that way warning rogue servers, So just check your computers, make sure you're you're fine, because if you're not fine, then once the FBI turns these servers off, you may have some problems accessing stuff over the web. And then you're thinking, what the heck happened? And that

wraps up another classic episode of tech Stuff. Hope you guys enjoyed. It gives you a little bit of a glimpse into the past and this operation Ghost Click problem that was plaguing us in the spring of If you guys have any questions or maybe suggestions for future episodes, you can send me an email the addresses tech Stuff at how stuff works dot com, or pop on over to our website that's text stuff podcast dot com. That's where you're going to find links to all our classic episodes,

including all of our new episodes. You'll also find links to our social media presence and a link to our online merchandise store, and every purchase you make there and goes to help the show, and we greatly appreciate it, and I'll talk to you again really soon. Text Stuff is a production of I Heart Radio's How Stuff Works. For more pod casts from my Heart Radio visit the I heart Radio app, Apple podcasts, or wherever you listen to your favorite shows. H