While waiting for a (non-government) technical training class to begin, FBI Special Agent Robert Cameron used his instructor-provided computer to check the local news.

Soon, the computer began to slow down and malfunction.

Cameron hadn’t downloaded anything or clicked on any suspicious links, but just by visiting a local news site, the computer he was using had been affected by malware known as “scareware.” Scareware slows the system and causes pop-ups that demand the user pay to have purported “anti-virus” software installed.

“I pulled the plug on the computer, and with the teacher’s permission, I opened the hard drive to find out what happened,” said Cameron, a cyber agent and computer expert in the FBI’s Minneapolis Division.

The next day, the local news website ran an apology to its readers, saying that what they thought was a legitimate advertisement had actually installed a virus on the computers of many users who visited the site during the time the ad was displayed. The news website also notified the FBI.

“You didn't have to interact with the website at all or click anything. There’s nothing the user could have done to prevent it,” Cameron said. “The pop-ups would keep coming to the point that you couldn’t do anything on the computer. You’d have to click the link and buy the software.”

Between the $50 “anti-virus” program itself, the hackers’ fraudulent use of the victims’ credit cards after the purchase, and the failure to pay the website for the “ads” they purchased, the overall scam cost victims an estimated $2 million. While the exact number of victims is not known, many are believed to be in the Minneapolis area because of the nature of the website.

Cameron and his colleagues began investigating and discovered a Latvian hacker was behind the attack, and his approach was highly sophisticated. After purchasing the company’s fake anti-virus software, the FBI and its international partners used several investigative approaches, including carrying out search warrants all over the world, to track down the perpetrator.

Investigators learned that, in 2010, associates of Peteris Sahurovs, including his wife, created a fake advertising company, known as RevolTech Marketing, and contacted a local news website to purchase advertising for their “client,” a well-known American hotel chain. (The hotel chain knew nothing about RevolTech’s activities.) RevolTech created an advertisement for the hotels that redirected to what appeared to be a legitimate site. The hackers then waited until Friday night U.S. time—after the website’s staff had already tested the ad—to swap out the ad to one that would direct computers to a malware-infected website instead. The malware installed whether or not the user clicked the ad. Once infected, the only way users could remove the malware was to purchase the fake anti-virus software—at a cost of $49.95.

The investigation also showed that in addition to the ad scam, Sahurovs and his associates ran a “bulletproof” hosting site that facilitated other criminal activity on the web. Bulletproof hosting sites are overseas servers that take active steps to avoid law enforcement detection of criminal activity.

The FBI and the Latvian State Police worked collaboratively to track down and arrest Sahurovs. However, he fled before his extradition hearing and was added to the FBI Cyber’s Most Wanted list.

Five years later, Sahurovs turned up in Poland, where he was arrested and extradited to the United States to face charges. In February, he pleaded guilty to conspiracy to commit wire fraud, and last month, he was sentenced to 33 months in prison.

Patience and international collaboration were keys to success in this case, Cameron said. FBI agents worked closely with their counterparts in Latvia, Cyprus, Turkey, and Ukraine during the investigation.

“It was a great chain of events to be able to find Sahurovs and bring him back to face justice,” Cameron said. “There are a lot of momentum swings in these cases, and we had to be patient. I’m happy we’re finally able to get closure in this case.”