Operation Ghost Click

DNS or Domain Name System is an internet service that converts the user friendly domain name such as gktoday.in into numerical addresses such as These numerical addresses allow the computers to talk to each other. Without DNS and the DNS servers, the computer users would not be able to browse websites, send email or connect to any other internet services.

Beginning in 2007, a group of criminals infected millions of computers around the world with a malware (Trojan) called DNS Changer, which allows them to control the DNS servers. As a result, DNSChanger (Domain name changer) redirects the web traffic to fake websites exposing internet users to vulnerable threats of hacking and stealing personal identity. It works by changing the DNS – which that takes a website address and finds the numerical IP address to connect to that website — redirecting millions of Internet users to sites they didn’t search for. After gaining access to a host PC, the DNSChanger virus tries to modify the DNS (Domain Name Server) settings, which are essential for Internet access, to send traffic to malicious servers. These poisoned web addresses in turn point traffic generated through infected PCs to fake or unsafe websites, most of them running online scams

How it happened?

In July 2012, FBI claimed that DNS Changer still infects 300,000 computers worldwide including over 20,000 in India. It all started in 2007, when a group of hackers — six Estonians and one Russian — allegedly started masquerading as Internet advertisers who were paid by the click, according to an 2011 indictment from the U.S. Attorney General’s Office.

The Federal Bureau of Investigation (FBI) had in November 2011, identified a group of cyber criminals who had infected more than four million computers across the world with a Trojan known as DNSChanger. These people were able to manipulate Internet advertising to generate at least $14 million in illicit fees, the concept called Clickjacking in technical jargaon. The users think they are clicking on one website but are actually redirected to the fraudsters advertisement websites so they can get the click revenue stream. FBI investigated this via its "Operation Ghost Click" and broke up the conspiracy, made some arrests, and seized the bad DNS servers. But because a large number of PCs were already pointed at these servers, the FBI continued to operate them with clean and authentic DNS data. The recent shutdown of the internet services was the part of last stage of Operation Ghost Click, as FBI planed to pull the plug and bring down the temporary rogue DNS servers July 9. As a result, PCs still infected by the DNSChanger virus were unable to access the Internet.