US-CERT: Operation Ghost Click Malware

(Last Updated On: November 10, 2011)



On November 9, 2011 US Federal prosecutors announced Operation Ghost Click, an ongoing investigation that resulted in the arrests of a cyber ring of seven people who allegedly ran a massive online advertising fraud scheme that used malicious software to infect at least 4 million computers in more than 100 countries.


The cyber ring, comprised of individuals from Estonia and Russia, allegedly used the malicious software, or malware, to hijack web searches to generate advertising and sales revenue by diverting users from legitimate websites to websites run by the cyber ring. In some cases, the software, known as DNSChanger, would replace advertising on popular websites with other ads when viewed from an infected computer. The malware also could have prevented users’ anti-virus software from functioning properly, thus exposing infected machines to unrelated malicious software.


US-CERT encourages users and administrators to use caution when surfing the web and to take the following preventative measures to protect themselves from malware campaigns:

  • Refer to the FBI’s announcement of Operation Ghost Click for additional information on how to protect yourself and recover from DNSChanger attacks.
  • Maintain up-to-date antivirus software.
  • Configure your web browser as described in the Securing Your Web Browser document.
  • Do not follow unsolicited web links in email messages.
  • Use caution when opening email attachments. Refer to the Using Caution with Email Attachments Cyber Security Tip for more information on safely handling email attachments.