Behind the threat: FBI Internet server shutdown

NEW YORK (AP) - On Monday, the FBI turned off servers that had allowed thousands of malware-stricken computers to continue using the Internet. The personal computers _ both Windows PCs and Macs _ are corrupted by a virus known as DNSChanger. Without the servers, the machines wouldn’t know how to locate websites and send email.

Q. What happened?

A. Years ago, scammers managed to trick millions of people into installing the DNSChanger software, which changed certain computer settings. With the change, your computer went to a rogue server rather than a legitimate one at your company or Internet service provider. From there, the scammers were able to send you to websites containing rogue ads from which they profited.

Q. How were the servers supposed to function?

A. Databases known as domain name servers translate Internet addresses such as “ap.org” into a series of numbers your computer needs to locate other Internet-connected machines. Think of it as the Internet’s version of directory assistance for telephone numbers. If you need the number for Acme’s Flowers, you call “411” to ask for it.

Q. How did the scam work?

A. In the simplest terms, think of it as “411” calls that were rerouted to a directory-assistance service operated by the scammers. You call it to ask for Acme’s Flowers, but the service gives you the number for a flower shop run by the mob. The shop still fulfills the order, so you don’t suspect anything, but it might use stolen flowers and baskets.

According to federal authorities, there were variations on how the scammers profited.

In some cases, only the ads were changed. For example, authorities say, people who went to ESPN’s website saw an ad for a timeshare business rather than the Dr. Pepper ad that was supposed to be there. In such cases, those people were still going to ESPN’s website. Normally, your computer would grab the ad displayed on ESPN from a separate, legitimate ad-placement company. Authorities say the affected computers were tricked into grabbing the scammers’ ad instead.

In other cases, authorities say, people searching through Google or Yahoo were sent to a fake search engine. They got search results that looked like Google’s or Yahoo’s but contained links to unauthorized sites. For example, people trying to reach the IRS site instead got H&R Block’s, without the tax preparer’s knowledge. Authorities say scammers got payments for referrals.

The FBI said the scam netted at least $14 million.

Q. If this has been going on for years, why did it become a problem Monday?

A. Authorities busted the ring in November and arrested six suspects. The rogue databases were replaced with legitimate ones, but they were always meant to be temporary and did nothing to change the settings on individual computers. In other words, the troubled computers were still looking for databases at the rogue locations, but legitimate databases were set up at those rogue locations.

Those databases were turned off Monday with the expiration of a court order, so infected computers are now looking for databases that don’t exist. Without the information, computers don’t know where to find websites.

Continuing the phone analogy, the “411” calls during the transition period didn’t go to the usual directory-assistance service but one operated on behalf of the FBI. You’d get the correct Acme’s Flowers, not the mob operation. Since the temporary service shut down Monday, “411” calls essentially go to a disconnected line.

Story Continues →

Copyright 2013 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.