TechStuff Investigates Operation Ghost Click

senior writer here. To get there, you follow Highway fifty eight going northeast out of the city, and it is a good highway and New all right, We're we're talking about numbers today, Yes we are. We're talking about getting to where you're going and getting diverted along the way. So, as of the recording of this podcast, which is in April of there is a story that's actually not a

news story necessarily. It first started to kind of make the New is way back in November, but it's kind of sort of bubbled up and it's an operation that the FBI, the Federal Bureau of Investigations, has headed up and it all involves hacking into the Internet and uh, and and messing around with Internet traffic. It's called Operation Ghost Click. That's a nice name. I always love hearing the operation names. It is a wacky doctors game. So um, I think first, before we get into too much detail,

we should probably talk about how internet traffic works. We've mentioned that on the podcast on a handful of occasions. I think when in fact we got into the domain name system DNS system or sorry that was redundant, the d N s uh no was servers um Well are both because DNS can can mean both, but right, right, right,

So yeah, we talked about it before. And basically every website has a is um as an address, a physical address, well physical address on on a hard drive, a physical hard drive somewhere, and these numbers, there are are four sets of numbers separated by periods, and that address is unique to that um space on that physical hard drive somewhere. And so if you typed in UM h T T P colon slash slash and these this number, you will

get to a website. Of course, that's very inconvenient because then you either have to write down these numbers or bookmark them or you know, yeah, you have to have some sort of weird total recall thing going on where you can just easily remember any series of numbers, which would, uh would would make you incredibly useful, but it would also make you very rare. Most of us, most of us are just not It's not something humans are particularly

good at doing on average. So that is what kind of gave rise to the idea of having this domain

name system. Yes, now, domain name system, what it does is it allows you to create a domain name as in words that correspond to whatever your site is, and then that itself is mapped to this series of numbers, this i P address right, the i P being Internet protocols UM, which is the the language that gets uh, you know, you from one place to another on the Internet, regardless of whether you're using a Windows machine, Mac or Linux or mobile thing. It gets you to the same place.

And what allows you to type in how stuff works dot com and get to our website. Yes, so if you were to type how stuff works dot com, what happens is that request you know, what you're essentially doing is you're telling your browser I want access to this particular website. Your browser sends this message along up a chain of command, and uh, you know, it has to go out to the right computer that has the website living on it and retrieve that so that you get

an instance of it back at your machine. In order to do that, it has to first map that what needs to have is the name that you're typing. It has to be mapped to that physical machine, that physical drive, uh, and it does this by going through domain name servers. A domain name server is essentially like think of it kind of like a phone book. Yeah, so that all the different u r l s you could type in

are indexed against these number numerical addresses. And then that way, once you type in the u r L, it looks for the corresponding numeric address, pulls information from that that particular source, and then serves it back to you so that you get what you asked for. Well that you asked for it, you got it anyway. So, um, the whole deal here is that you are going to get the right information assuming that everything's working correctly, and occasionally

stuff messes up. There might be uh the computer that hosts the site might be down, in which case you're going to get something like a four or four error because the Internet is not going to be able to find the file that you've requested. Very sorry, the Internet is broken. The elders of the Internet called and they said, no more Internet for you. But most of the time

it's gonna work just fine. However, what happened in the case of Operation ghost Click is that, uh, the FBI discovered there were some people who had created some rogue DNS servers. So, in other words, these get these folks, six Estonian nationals, according to the FBI, um got together and created these servers that acted just as a domain named server would. So in other words, it had a collection of u r l s and index of u r l s and an index of addresses numeric addresses.

So it's like a fake phone book, right exactly. Some of the entries in this fake phone book went to different phone numbers, so instead literally, yeah, but we're since we're sticking with the analogy, sticking with that analogy. So instead of the official phone number for a particular website, you would get a fake one, and it would, in other words, that you would go to a fake numeric address for a real site, so you might type in

the address perfect in your u r L bar. Right, So let's take a random example let's just say Yahoo. So you do www dot Yahoo dot com, you hit enter. Now, normally, in a regular DNS server, it would look up that you are L, look to see what the numeric address is for that u r L, send that information out, retrieve the website, and serve it up to you. A rogue DNS server would look up that u r L, look at the numeric address that was created for that u r L. But it isn't actually the address for Yahoo.

It's an address for something else, and it serves that up to you. Now, why would anyone do this? There are a couple of different reasons. Now, in the case of the Estonians and uh, they were doing something I think that was kind of uh deediously clever. They were doing this in order to reroute traffic to break in advertising money. So, in other words, what they wanted to do was the way advertising on the internetworks in general is that you get paid for a certain number of

views of that ad It's called impressions. The number of impressions and ad gets that translates to money, And if you get lots and lots and lots of impressions, you get lots of money. Um. Then in general, a single impression is worth a fraction of assent. Yeah, but if you can say, hey, you know, I can promise you that five million people are going to see your ad, then you can command a good price for your services. Right, So, very popular websites can tend to charge more than sites

that don't get a lot of traffic. Makes sense, Right, Let's say that you have a billboard next to a busy highway. That the price for that billboard to to to put it out on that billboard, it's probably gonna be higher than a billboard that's next to a rural road that doesn't get a lot of traffic. So anyway, the same sort of logic applies on on the web.

So what these guys were doing, I say, guys, what these Estonians were doing because I don't know their gender, Uh, they were they were using these rogue DNS servers to reroute traffic to go to different websites and that had specific ads on them that the Estonians were administering, and then they were pulling in the money. So they were

redirecting traffic. It's like putting in a detour in your route, and so you're going down your normal route to to wherever you're going, and you see a sign and says, oh, nope, the road is out up ahead, take a right instead of going straight, and you will go through a different route. And along that route you decided to stop and eat. And normally you would stop and eat at your favorite restaurant, but you can't get to that one because it's on

the road that's been closed. So you go to this other restaurant and it all turns out that it was employed by the other restaurant in the first place. They put that detour sign up because they wanted to get some more foot traffic or some more some more diners to come in. That was the general plan. Now the question is how do you get that rogue DNS server to get in the line of traffic so that people

will visit it in the first place. Yeah, because if you're typing in an address that you already know, say Discovery dot com, you should theoretically be routed to the right place as long as your computer is configured correctly and the internet's working the way it's supposed to. I mean, what are they gonna do. Are they gonna go in and kick out the legitimate DNS machine and replace it. No,

it was very clever. They created a kind of malware, and the malware is essentially called d n s changer, and so DNS changer would change the DNS settings on your computer or other device, or even router, which was particularly nasty because if it changed on the router, then any device that connects through that router would be affected. Also, it's unlikely that you're going to have anti virus software on your router, although you might on your computer now.

The way that they did this with the router was the easiest way, and it's the easiest way for someone to prevent it from happening to them. The way that worked on the router was that they just ended up using a list of generic user names and passwords that are that tend to be UMU administered over various routers.

So you pick pick a router, like whatever router you you happen to use, that router tends to have a standard user name and standard password you are supposed to change once you install it into your home network, but a lot of people never get around to doing that. They install the the the router and then they don't bother changing the user name and password, which means that anyone who knows what the standard user name and password is for that brand of router could get access to

that network. That's what they were doing in this case. But in order to change the computers themselves, not the router, what they had to do was convince people to download some malware and execute that. Now social engineering, Yeah, lots of different ways of doing that. Yeah, you know, there's the very standard way where they include some uh they put on on a website that you might encounter a little pop up that says, hey, you're anti virus software is out of date. Install this and we will scan

your computer for viruses and free, yeah, for free. And in fact it really is a virus itself that installs to your computer. You know, you think you are trying to head off some sort of malware and in fact you're actually installing malware to your computer at the time. Or it could be through email attachments, you know, all the standard ways that malware propagates across the web, any of that would work to get this this particular kind

of malware onto your machine. Once you installed it, whether it was through a trojan program or whatever, it would go and reset the DNS settings on your computer, and it would direct your computer to go to these rogue DNS servers as opposed to your Internet service providers DNS servers, because h I SP has its own right that passes the information up along the chain of command. So uh,

you would bypass your I s P S servers. You would go to these rogue servers, and then you would be directed to whatever website they wanted to direct YouTube for any particular u r L. For some u r l s, you might just get the regular website you you're sent along and nothing bad happen. For other u r l s, you might be directed to a site that looks very similar to the one you wanted, but something isn't quite right, and it tends that again, they

were just doing it for the advertising money. The scary thing is they could have done this for any other reason and actually tried to steal stuff directly from the user. Now in this case, that doesn't seem to be what they were up to. They were up to just redirecting that traffic. So you might think, well, that's annoying. I mean, I'm not going to get to the website I want to go to unless I type in the actual uh,

numeric address physically, then I would go to it. But UH, while it's annoying that I wouldn't go to the site that I wanted to go to, at least they're not stealing from me. But they could have. They could have directed things so that you would go to dummy websites that look similar to official ones and put in a system where you type in your user name and password and they would log it. They could have logged it, they didn't. They could have logged that information, thus getting

access to various accounts across the net. They could have gotten access to email accounts, bank accounts, you know, any other sort of anything that would require authorization. They could have done that. Uh, And what would probably have happened is that you would have logged in. Let's say that you try to go to your banks online banking site, and you might get a site that looks very much like your banks site. In fact, it might even look

almost identical. Um, the address might look a little hinky, but if you were to type an years the name and password, likely you would get a response saying, oh,

sites down for maintenance. But what's really happened is that that information has been logged by hackers, so that could have happened, or they could have directed you to a site where you would have been encouraged to download even more malware, perhaps a back door access programs that you are your computer would become part of a bot net or any other kind of of hacking tool. It's it's really the options are pretty much unlimited. Now. In this case,

again it was just to redirect traffic. However, there were some other problems that would happen if you were affected by this virus. You might not you know, you might not have anyone stealing from your bank account or anything.

But one of the things the virus does, which is pretty much standard operating procedure for viruses, is it turned off the features on your operating system and your anti virus from updating, so that you wouldn't be able to get the latest security patches that would prevent this this UH program from working. So first step pretty much of any malware is let's disable the stuff that can turn this off. So anything that would automatically turn the malware

off was disabled. So that's a problem because it means that even if you aren't being actively preyed upon by these particular hackers, uh, future attacks could hit you much more easily because you are no longer protected it, yeah, which is pretty bad. That's what we call a bad thing and internet security. And they were about what four million people around the world and about a hundred countries that were affected by this, and then five thousand in

the United States. And it wasn't just uh, you know, citizen users, it was also businesses, government, government computers. UM. I think there were even like a couple of computers over at NASA that were affected to and uh. And the good news that we have is that the FBI arrested these six Estonian nationals that were identified as being part of this running actually running this ring. Yeah, they were going to try to have them extradited into the

United States. Yeah. And they've also taken over the rogue DNS servers they have identified as being part of this, and those rogue DNS servers are now acting like legitimate DNS servers, which is great. That means that as a user, when you try to visit a website, you should get what you're supposed to get. However, there's a problem because as your computer is still have if you're affected, your computer still is directing you to the wrong set of servers.

You're still getting the right result, but you're going and you're not going to the regular chain of command that you should go to. And the FBI is not going to be running these servers forever, and in fact, in in July, they're going to turn them off. And once those turn off, if your computer is being directed to those DNS servers, you may not have any more Web access, at least not through typing in a normal u r L, because your computer is going to try and go through

a pathway that doesn't exist anymore. So the important thing to do is to determine whether or not your computer has this infection, and if it does have the infection, to clear it up. And uh, it's the first one is easier than the second one. Yeah, the FBI actually set up a website designed to help you identify whether or not you have been affected. Yes, um, you can go to the FBI's website and follow the links to find out about whether or not your computer has this problem.

And there's actually a couple different ways of doing it. There's they've they've set up a u r L where what it does is it pings a server and if it gets a positive results saying that you're fine. Uh, you get a screen that has this big green icon on it and says you're good. Um. If you're not fine, you get a big red icon which says this is saying that you're you know, it's going through one of the rogue DNS servers. They've also identified a range of

the IP addresses that you know. You can check your DNS settings on your computer yourself. If you're using a Windows machine, you go to a run command and you type an IP configured slash all uh, and then that'll pull up your DNS settings and you can see what the what the numeric address is for the server that you go to, and if it falls within the rain that's been identified by the FBI, you know that your DNS settings are wrong. Clearing this up and getting rid

of the malware is a little tricky. Uh. The easiest way I can think of to do it, if I were doing it myself, is going to a computer that I know has not been affected and downloading the latest anti virus software I can find and putting Most of them have an option where you can put a version of that onto a thumb drive. Do that, then take the thumb drive over to the infective machine and booted into safe mode and load up the antivirus software from

the thumb drive, and that should be able. Depending upon the anti virus software, it should be able to scan it and remove it. Um. The FBI also points to several web assets that can help you if your computer does appear to be one of the ones that infected, and those may work very well for you. I tend to go with the anti virus approach whenever I can, and UM, it just I don't know, I don't know it is. I just have a preference for that as opposed to going like a web based route. Yea, um,

but it is. It is fairly easy to uh to get rid of the problem in this case. It's not like some of the others where you have to UH reformat your hard drive to get it back. Yeah, there's there's something. Depending on how tech savvy you are, it's

pretty easy. If you're not terribly tech savvy, it may be it may be worth it to take it to a computer professional to have them scan it and remove it and take care of it for you, because the more you mess with your computer settings, the more you may inadvertently cause some problems that can turn your machine into a nightmare. Um. And and sometimes depending on the malware, like if you've had this on your computer for a while, that might not be the only malware that's affecting you.

You might have other problems, in which case, uh, you know, a simple scan and remove may not be enough. In a worst case scenario, you might have to do something like wipe your computer and reinstall the uprating system, in which case the first thing you want to do is back up as much of your data as you possibly can and then you do the wipe. But that even that is I mean, that's that's like a worst case scenario type of thing, and hopefully none of our listeners

are in that. Well. First of all, hopefully none of our listeners have been affected by this malware. But if they have, hopefully it's not so severe that and they don't have other forms of malware that they can't you know, uh,

take care of it themselves. Yeah. Um. And of course it's always a good idea to back up your hard drive on a regular basis anyway, just to make sure they always back up your hard drive, to to make sure that you have a version of your operating system uh installed on there that you can go back to that you know is not infected at least hopefully. Yeah.

But that's that's that's pretty impressive. I mean, the FBI has really been promoting the fact that they they had this success in taking down or apparent success I should say, and taking down this uh this ring, this ring, because um, you know this is this is pretty significant. They took away traffic from uh legitimate websites in addition to making

money for themselves with the the alternate fake websites. Um. And it does expose the fact that most people are are you know, still having to uh to think about what they do because they they may very well be letting somebody in. It could have been a lot worse than it was. Yeah, exploiting the DNS system, which again I know, redundant at M machine, exploiting that pin number, um,

it was pretty ingenious, you know. Essentially, it just shows that understanding how the Internet works and building this parallel system that exploits the way Internet works was very clear. Her Now, of course, it's still depended upon user behavior to work, because if no one had downloaded the malware, if no one had installed the malware, it wouldn't have um,

nothing would have happened. You would have had these DNS, these rogue DNS servers that would be online and would be ready to redirect traffic to wherever they wanted it to go. But if no one downloaded the malware, the traffic would never have been redirected. So really, the other lesson to take away from this is just practice good Internet security rules of thumb, things like don't open strange

attachments from you know, in random emails. Make sure you ask people if they've sent you an attachment, asked them

like did you really send this to me? You know, because sometimes people their email address gets compromised and they randomly start sending out files two people, often in uncharacteristically uh worded ways, like you might read and Usage and think, either my friend is taking a terrible fall and decided to email me immediately afterwards, or is under the influence of some powerful alcohol, or you know, it just doesn't make any sense, Like you read it and you're like,

this doesn't sound like Chris. Chris never emails me in all caps with lots of letters missing. UM send this to everyone you know, UM. Bill Gates will give you twenty five cents for every email that you've forward anyway, don't don't open those email attachments. Yeah, and you know what I've recently realized, Um, every once in a whilehile find a story that I want to send to somebody, and I've I've realized as I was sending it, I'd say, hey, I just saw this, you should check it out. You

know what? That sounds just like something a spammer would writ So I try to make it a little more personally, more personal so that the well, for one thing, the spam filter will on a lot of these uh services will pull it right out of there if you if it's something that that minimal, So if it fits that pattern of hey I saw this, check it out, and then yeah, it can fall into the spam filter pretty easily. Also, and it doesn't just go with attachments like I mean,

or links. Their links, plenty of links are problems. But think about like, gosh, I've seen this so many times on Facebook, clickjacking on Facebook. So if you've ever gone I'm sure most of you have, anyone who's had a Facebook account long enough has seen this happen with their friends. You'll look and there'll be some video link. You know, it'll say it won't be an embedded video, so it's

not something that plays within Facebook. But you'll see like a link to some incredible video and it usually has to do with either violence or sex. Those tend to be the two big ones. Yeah. Yeah, you go for those base instincts that we human have and uh, and you get a lot of results, which is kind of a sad commentary, but that's a different podcast. Anyway, there's a you know, you'll you'll see this link and I saw one recently and immediately I was like, my the

red flag went up. As soon as I saw it. First of all, I was like, this doesn't seem like the kind of thing this person would have shared, Like they might have clicked on a link, but it doesn't seem like something they would have themselves shared. And it was a supposedly a video about Justin Bieber being stabbed at a concert, And as soon as I saw it, I thought, Uh, this has click clickjacking written all over it, And immediately I went to one of my favorite references

for this sort of thing, snopes dot com. So Snopes is all about urban legends, but they also look at things like internet hoaxes and and clickjacking. And I did a quick search and sure enough, this is something that's been around for a while, and it just it's just like a lot of other clickjacking. It has these cycles that goes through where you'll have an initial pop up of this and then dies down, and then it'll pop up again, and I'll do that three or four times. Yeah.

Current events are often yeah, and I mean it's it's you'll find some of these that that have lasted for years that basically they don't necessarily have to be about. Justin Bieber for example, that maybe the uh, the click jack to your Yeah, exactly, or you know, five years ago it could have been about for example, Britney Spears. Yeah, that would be a very popular one. And Jennifer Aniston

or somebody somebody that's in the news right that moment. Yeah, And it tends to be like or it'll be like this this this news anchor had an embarrassing uh moment on the news. Click to find out that sort of stuff. And what happens is if you do click that, you'll get a message that essentially says usually something like, uh, your your you need to install this extension or you need to install this video player in order to watch

this video. And if you allow it, then it gets at says to things like your Facebook feed and as well as possibly other stuff. It may involve other you know, kinds of malware, but in general, you've seen see this get propagated across Facebook where someone who has fallen from the trick agrees to it and then it continues to go across Facebook because it starts to use that person's feed. So whenever I see one of these, here's what I do, guys.

I immediately, you know, I see something that that raises a red flag like that. First way I do is I do a search on Google for whatever the video supposedly shows, because nine times out of ten it's just completely made up, and you can usually find up. I find an article written on it, or it'll be on Snopes or something like that where I'll say, you know, this new Facebook scam is going around, so watch out

for it. Once I have confirmed that it's a scam, I go back to Facebook and I comment on the entry and I say, hey, it looks like this is a click jacking attempt. You may want to go and and change your Facebook password and delete this post, because by deleting the post, you're going to help remove that that step for other people to fall victim to that same problem. So I do that fairly regularly because I've got a lot of friends on Facebook, and this sort

of thing can happen to anyone. It's uh and and it's not necessarily something that's that's sort of either appealing to violence or sex. Sometimes it's something that's just interesting and it has nothing to do with any of those uh uh kind of more base subject matter writing. And also, I mean in general, when there's a link in Facebook, if it's a link in Facebook, I tend to go to Google anyway and try and get to that link without going through Facebook, because you never know when it's

a clickjacking attempt. If it's an embedded video within Facebook, like a YouTube video that's been embedded in Facebook something like that, I'm all right with that. I'll watch it that way. But for links, I tend to go outside of Facebook to do it, just to be on the safe side, which I'm sure Facebook hates. That's not what Facebook wants to hear. But until they want to track you, right, until there's better security around that so that I'm not

throwing caution to the wind and infecting my computer. I just I can't justify it. So that's just my own personal approach. Guys, I'm sure all of you probably have your own sort of way of dealing with this and avoiding problems, but it's always something that's good to keep in mind. Uh and um. Anyway, So if you, guys, suspect that you might have this DNS change your malware on your computer, go to the FBI's website. Use their tool first of all to see if you get a

result back. If you don't get a result back, you're probably okay, not necessarily okay. You can pull up that list of addresses that do map to these rogue servers and go through your computer settings and confirm it that way, warning rogue servers. So just check your computers, make sure you're you're fine, because if you're not fine, then once the FBI turns these servers off, you may have some problems accessing stuff over the web, and then you're thinking,

what the heck happened? And the real nasty part about not being able to access the web is not being able to access Why you can't access the web I've had that happen. Apparently, did I not pay my internet bill? Is my router down? I don't know how to check because I can't look anything up. Yes, I'm that guy anyway. So do you have anything else you want to add about this? Not really, not really know, So let us

wrap this up. Guys, if you have any suggestions for future topics on tech Stuff podcasts, you can let us know through email that addresses tech stuff add discovery dot com or you less know on Facebook or Twitter or handle us both those social networks. Is text stuff each s W and Chris and I will talk to you again really soon. For more on this and thousands of other topics, visit how stuff Works dot com. Brought to you by the reinvented two thousand twelve camera. It's ready, are you