Network News

X My Profile
View More Activity

FTC Sues, Shuts Down N. Calif. Web Hosting Firm

In an unprecedented move, the Federal Trade Commission has taken legal steps to shut down a Web hosting provider in Northern California that the agency says was directly involved in managing massive global spam operations.

Sometime on Tuesday, more than 15,000 Web sites connected to San Jose, Calif., based Triple Fiber Network (3FN.net) went dark. 3FN's sites were disconnected after a Northern California district court judge approved an FTC request to have the company's upstream Internet providers stop routing traffic for the provider.

In its civil complaint, the FTC names 3FN and its various monikers, including Pricewert LLC -- the business entity named on the 3fn.net Web site registration records. The FTC alleges that Pricewert/3FN operates as a "'rogue' or 'black hat' Internet service provider that recruits, knowingly hosts, and actively participates in the distribution of illegal, malicious, and harmful content," including botnet control servers, child pornography and rogue antivirus products. 3FN also operates by the names APS Telecom and APX Telecom.

In an interview with Security Fix, FTC Chairman Jonathan Leibowitz
said the agency's action targets one of the Web's worst actors.

"Anything bad on the Internet, they were involved in it," Leibowitz said. "We're very proud, because in one fell swoop we've gone after a big facilitator of some of the utterly worst conduct."

The FTC chairman confirmed that this was the first time the agency had sought and been granted an order to shut down an Internet service provider.

Efforts to contact 3FN via phone, instant message and e-mail were unsuccessful. I will update this post in the event I hear back from them.

3fnhighriskad.JPG

The FTC alleges that even though Pricewert officially is registered in Oregon, its principals and staff are located outside of the United States.

"Pricewert markets its services to domestic and overseas criminals by placing ads in the darkest corners of the Internet, including forums set up to facilitate communication between criminals," the FTC complaint said. (The image on the right is a screen shot of an ad for 3FN's services I found running on verified.ru, one of the busiest Russian online forums dedicated to identity theft and the sale of stolen identities).

"Pricewert hosts very little legitimate content and vast quantities of illegal, malicious, and harmful content, including child pornography, botnet command and control servers, spyware, viruses, trojans, phishing related sites, illegal online pharmacies, investment and other Web-based scams, and pornography featuring violence, bestiality, and incest," the FTC said.

The FTC also said that not only was 3FN hosting sites promoting illegal activities, but that its owners and operators were directly facilitating and brokering those businesses. The commission references several Internet chat logs in which the head of programming for Pricewert/3FN is observed directly participating in the creation and configuration of a botnet.

"The customer informs Pricewert that he controls 200,000 bots and needs assistance configuring the botnet. The head of Pricewert's Programming Department agrees to assist, but complains upon learning of the size of the botnet that it will require a lot of work," the FTC's complaint alleges.

Botnet experts I have spoken with over the past eight months have found that 3FN housed many of the command and control networks for "Cutwail," one of the world's largest spam botnets. As late as mid-April, Joe Stewart, a botnet expert and director of malware research at SecureWorks, tracked nearly a dozen Cutwail control networks hosted at 3FN.

Indeed, in February, Security Fix began tracking malware samples from Cutwail and its cousin Pushdo that traced back to 3FN, dating back to at least October 2008. These reports were listed at ThreatExpert.com. A copy of that record -- with citations from malware analysis reports is available at this link here (Microsoft Excel document) or in HTML format. The Internet addresses colored yellow in those charts belong to 3FN.

Among the most popular sites on 3FN's hosting servers was botmaster.net, the home of an extremely popular service and software product used to blast out massive amounts of blog comment spam.

Mark Rasch, a former cyber crime prosecutor for the Justice Department and a principal at the Arlington, Va., based Internet Law Group, said the FTC's authority gives it the power to shut down companies that appear to be engaged in unfair and deceptive practices, whereas criminal law enforcement agencies have a much higher standard for proving wrongdoing in order to convince a court to shut down an ISP.

3fn1data.JPG

"It could be that other law enforcement organizations are using the FTC as a front in order to obtain evidence for later criminal prosecutions," Rasch said. "What's interesting about that approach is that in order for these guys to get out from under this court order, they're going to have to show that they've taken steps to clean up their act. But if there is a criminal investigation ongoing against 3FN, then anything their operators say in trying to convince a court to lift the order can and will be used against them later."

The FTC's Leibowitz declined to say whether other law enforcement agencies were investigating 3FN, but said his agency was assisted by several organizations, including: cyber investigators at NASA; Spamhaus; The Shadowserver Foundation; the University of Alabama at Birmingham; The National Center for Missing and Exploited Children; and Symantec Corp.,

Interestingly, the Russian blogosphere is beginning to light up about 3FN's closure. This blog post notes that large numbers of 3FN customers were forced to move their sites to other providers. Meanwhile, the 3FN operators are telling customers that they will be back online in another location within hours or days.

Christopher Barton, lead research scientist at McAfee, said a number of 3FN domain name servers already have popped up at new locations online.

"The rats are running," Barton said.

Leibowitz said his agency would continue to pursue other ISPs that "provide a haven for Internet criminals."

"This is a signal that we're going to go after you, and you're not going to be able to hide behind the shroud of the Internet and be immune from enforcement action," Leibowitz said.

A signed copy of the FTC's complaint is available here (PDF).

Update, Jun. 14, 10:57 p.m. ET 3FN released a lengthy statement responding to the FTC's action and allegations. That statement is available here, via PRWeb.

By Brian Krebs  |  June 4, 2009; 12:46 PM ET
Categories:  Cyber Justice , U.S. Government  | Tags: 3fn, pricewert  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft's Fix for the Firefox Add-on Snafu
Next: T-Mobile Investigating Data Breach Claims

Comments

Kudos to the FTC for shutting down this criminal operation, which was involved in child porn. Keep up the great work FTC!

Posted by: john24 | June 4, 2009 1:06 PM | Report abuse

I'd love to see asset seizures from the owners of these websites, as well.

Posted by: Garak | June 4, 2009 2:12 PM | Report abuse

This is a positive step, but lets not get carried away with our celebrations. Driving these companies from within the borders of countries with strong legal protections will inevitably lead them to set up in countries lacking those protections. Lax laws and rampant corruption in these countries will allow these providers the cover they need to keep operating. This should not deter us from ridding our country of these rogues, but it should remind us to not let our guard down.

Posted by: lostinthemiddle | June 4, 2009 2:48 PM | Report abuse

That is a good first step. Is this a warning shot or the beginning of a serious campaign? Does the FTC intend to extend this new initiative to Federal, State, Local government and educational institutions? In my opinion, this is a significantly positive step, but my question is, what’s next?

Posted by: Cerberus1 | June 4, 2009 2:56 PM | Report abuse

Cerberus1 wrote: "In my opinion, this is a significantly positive step, but my question is, what’s next?"

It's true that botnet C&C centers in Russia will be less vulnerable. However, given the disadvantages of locating a company like that in the US, I'm betting that the fact that it was located here in the first place indicates the Russians aren't as laissez-faire about it as they seem.

What happens next is maybe someone looks at which networks those 200,000 bots are hosted on. Currently, everyone seems to think it's okay for the Comcasts and SBLs and Roadrunners of the world to allow their trojan-infected customers to continue to spew spam and host illegal websites. The attitude their support staff members seem to have is that because their customers are not highly computer literate, they can't possibly be expected to keep their machines clean. And when those machines engage in a denial of service attack against a US target from their dynamic IP addresses, it's very difficult for the target to block them without blocking legitimate customers.

When we push the botnet C&C centers overseas, we need to push their bots out with them. Then if we're attacked, we can block traffic from countries that can't keep a lid on their botnet problem. Right now the US *is* one of the countries that can't keep a lid on the problem.

Posted by: AlphaCentauri | June 4, 2009 3:54 PM | Report abuse

What about 'white' users of this hosting?
When they can get access to their sites?
Why these people are deprived the property?
Whether there is a procedure for returning to white users of their sites (files, back-up's)?

Posted by: d-d-d | June 4, 2009 4:18 PM | Report abuse

Thank you Jon Leibowitz and the dedicated FTC staff for your good work. Let's hope other law enforcement agencies will not drop the ball.

Posted by: sheilaanthony | June 4, 2009 4:22 PM | Report abuse

What about 'white' users of this hosting?
When they can get access to their sites?
Why these people are deprived the property?
Whether there is a procedure for returning to white users of their sites (files, back-up's)?

Posted by: chubis | June 4, 2009 4:57 PM | Report abuse

Obviously running its operations for years, it is screamingly obvious the FTC under the Bush "administration" was either completely blind to this sort of enterprise, or just didn't care, because bush was more interested in using the FTC to disburse its neo-conservative propaganda. We have heard countless times, over and over again from the right wingers that no attack has been perpetrated since Bush was in office. Hello?

Posted by: swatkins1 | June 4, 2009 4:58 PM | Report abuse

Are there any statistics available as to the increase (or decrease) of spam, virus, bot attacks, etc, over the last 8 years?

Posted by: swatkins1 | June 4, 2009 5:01 PM | Report abuse

All during the Bush FTC administration:

It’s a market economy…
Professional crime requires professional tools
Increasingly commercialized
Development, release, updates
Pricing, distribution, support
…and business is booming!

In the first half of 2007, 212,101 new malicious code threats were reported to Symantec. This is a 185% increase over the second half of 2006.


Not a single attack since 9/11? Are you fuc*ing kidding me? Billions of $$$ lost because of cyber crime...Productivity bottlenecked due to a lack of curiosity or professionalism within the FTC's regulatory branch...Bushco incompetence at all levels of his "administration"...And this is JUST BUSH'S FTC!!!

Posted by: swatkins1 | June 4, 2009 5:08 PM | Report abuse

"What about 'white' users of this hosting?
When they can get access to their sites?
Why these people are deprived the property?"

It is the responsibility of 'white' users to verify that their ISP does not provide services to criminals.

Posted by: moike | June 4, 2009 5:25 PM | Report abuse

Sigh. It's really appalling how Americans are eager to cheer the censors.

Don't you understand that now it's enough to claim that the hosting provider keeps "child pornography" or whatever to get a dissenting political site shut down?

And what's about "illegal on-line pharmacies" which do sell drugs a lot of people rely on because they have no insurance and no money to pay for the monopolistic prices set up by the pharma-government cartel?

It is really sad that you consider the Constitution to be another goddamn piece of paper - and it does say explicitly that the Feds have no business making or enforcing laws regarding what can and what cannot be said.

Posted by: poopie1 | June 4, 2009 6:03 PM | Report abuse

The FTC should confiscate their servers, networking gear, registered DNS records, and backup tapes. Corporate bank accounts should be frozen and executives who knowingly market to criminals should be prosecuted.

Shutting down the upstream circuits is not effective as the company can simply change its name and order new circuits. They will be back in business in 30-60 days...

Posted by: siris | June 4, 2009 6:17 PM | Report abuse

On average, I forward 3 to 5 items per day to appropriate FBI offices and yet they keep on coming.

And so I will keep on referring.

FOREWARNED IS FOREARMED.

Posted by: brucerealtor@gmail.com | June 4, 2009 6:21 PM | Report abuse

One thing I'd like to note here is that I worked with a security company whose execs waved them away from investigating these guys because the child porn on that network was waist deep.

Also, someone who knows these guys better than I maybe can correct me if I'm wrong, but it wasn't the easiest place to sign up for a server or site at. You had to know the right people, get them to respond to your emails -- or more likely on ICQ (and speak Russian/Ukrainian) and be willing to pay fairly hefty prices for hosting. Not a place that a mom and pop type store are going to just happen to set up shop.

I'm not saying there weren't any legit sites on 3FN, because I didn't check them all out. Just wanted to add some perspective.

Posted by: BTKrebs | June 4, 2009 7:27 PM | Report abuse

This action and the inter-agency cooperation are a clear demonstration that this administration is awake at the switch, unlike the last eight years of sleepy oblivion, during which malware evolved from an anti-social 'hobby' to a multi-billion dollar enterprise. The evolution might not have been so dramatically successful with a cyber-awake/aware Admin. (Enough tears over spilled milk).

Two educated guesses. 1)This is the first of many such actions to come. 2) In the spirit of international cooperation that Obama, et al espouse, they will be cooperating with corresponding agencies in the rest of the law-abiding ( or close,anyway (-: ) nations with a large online presence.

Over time, the cumulative effect of this legal assault on the malware enterprise will bracket it--give it a much narrower range of operation--which will weaken it and make negotiation with governments that shelter it much easier.

There's no reason to celebrate, but there's very good reason for encouragement and relief.

Posted by: featheredge99 | June 4, 2009 8:07 PM | Report abuse

Sorry, off topic, but needs to be said: Brian Krebs is hot. :-)

Posted by: swmuva | June 4, 2009 9:11 PM | Report abuse

Is this a matter of some criminal offense or is it a matter of disagreeing
with some mucky-muck?

Posted by: n7uno | June 5, 2009 1:28 AM | Report abuse

Pricewert is registered in Oregon as a domestic LLC, but with a principle place of business in Belize. Not sure how the Corp. Division let that one slide by.
http://egov.sos.state.or.us/br/pkg_web_name_srch_inq.show_detl?p_be_rsn=991234&p_srce=BR_INQ&p_print=TRUE

Posted by: BCLeeOR | June 5, 2009 2:09 AM | Report abuse

Hi, i'm from Odessa (Ukraine).
Web design studio - Vladarta

More than 50 web sites of our clients are down.

We don't have the last backup of db and files.

So what to do? Parse google сache of small sites? And what about users profiles???

It is not good to kill hosting without any information to its custumers...

Posted by: vladarta | June 5, 2009 5:10 AM | Report abuse

But, what are the names of the individuals running these networks? Have international arrest warrants been issued for them? Will they be kidnapped from the various foreign countries where they reside and wake up in Guantanamo? If not why not? If not, how are they affected in any way, other than to lose a little money? Have we any "007's, licensed to kill, that we can send after them?

Posted by: vcompton1 | June 5, 2009 5:16 AM | Report abuse

Well then vladarta, I guess your customers are screwed, huh? 3FN was a well-known bad actor in the ISP industry, and I don't for one second believe that you didn't know about it. And even if you were so naive that you didn't, how irresponsible of you to not keep valid backup copies of your customer websites. I hope that you get sued for every ruble you have.

Posted by: scooterndc | June 5, 2009 8:34 AM | Report abuse

Brian,

Nice article...Here is something you can help me understand better. The US government dramatically reduced online gambling by making it illegal for Visa/Mastercard, etc to provide payment services to these businesses. In one fell swoop, I believe, this reduced the number of such sites even though most of these operators were outside the US. Visa/MC did not want to get on the wrong side of US law. So they pulled the plug on their clients who were involved in online gambling.

Instead of going after hosting providers, I think it will be more effective for the FTC to go to Visa/MC and ask them to decline to process payments for these bad actors. This will be more effective and binding than shutting down hosting since it won't be long before 3FN is back on some other servers!

-- Bill

Posted by: evalsinca1 | June 5, 2009 9:22 AM | Report abuse

There have been quite a number of similar stories published over the past couple of years, but this one is the first that has actually coincided with a significant decline in the amount of spam I am receiving. Congratulations to the FTC, and I wish them well in their efforts to cooperate in the apprehension of the culprits themselves.

Death to spammers!

Posted by: FergusonFoont | June 5, 2009 9:54 AM | Report abuse

Does FTC think about law-abiding consumers?

I had no idea about their black activity. They had a convenient site with an evidently expensive design, low prices. I can't always apply to a detective agency while choosing a hosting :)

If all servers are arrested, they will be checked for an illegal activity, right?
So, if the server I rented turns out to be clean will they return the backups from that server?

Posted by: d-d-d | June 5, 2009 10:55 AM | Report abuse

To poopie1

Please don't politicize this. about a year ago I went to what i thought was a legit site and it redirected me to some.ru site which then proceeded to takeover my computer I assume. Fortunately I was on a Mac and all it did lock up my computer when it attempted to run some kind of script through java or javascript from what i could determine. I rebooted did a virus and spyware scan and found all was clear thank goodness.

To block all these spam service providers
or any company that will not set up a server here in US is fine with me.

I'm glad the FTC is using this tactic and if it helps other agencies go after them for child pornography more power to them.

Posted by: macdaddybill | June 5, 2009 11:32 AM | Report abuse

Primary Shareholder of 3FN is Pavel Vrublevsky - main owner of the billing system Chronopay http://www.chronopay.com/en/reference/About-Chronopay.Management.Board-Of-Directors
More information about this
http://www.ecommerce-journal.com/forum?c=showthread&ThreadID=513
FBI with Interpol must arrest this awful man - he sell souls of our childs

Posted by: anonym2009 | June 5, 2009 1:47 PM | Report abuse

"Does FTC think about law-abiding consumers?"

Let's take a bet... are d-d-d, chubis and maybe vladarta all the same person?

Posted by: jamshark70 | June 5, 2009 2:06 PM | Report abuse

There are those cases where Chinese justice seems to me to be the way to deter... execution.

Posted by: kkrimmer | June 5, 2009 10:06 PM | Report abuse

No one on here seems to care that this company hosted botnets, spam operations, and other fraudulent businesses. Granted, we need to demolish any service that hosts child pornography, but no one seems to care about the other details. I wonder if this story would have come out at all if it didn't include child abuse and bestiality.

Posted by: calcmandan | June 5, 2009 11:10 PM | Report abuse

This is exactly the kind of work that led me to put Brian in my RSS feeds. Most newspapers post amateur, incomplete stories about threats to our home computers and the internet. Why Brian's column should fall under the rubric of "business news" is beyond me. Since the computer has become the most important machine in many of our lives, news about them is everybody's business.

Posted by: kdoren | June 6, 2009 8:03 AM | Report abuse

I cannot believe that the rest of the news media cannot get off their lazy rears to cover this news. It appears far easier for the media to act like a herd of stupid gazelles and run after the big story of the day rather than actually follow the news of this ongoing cyber war with the Russian mobs that affect all of us.

Kudos to the FTC for finally growing the cojones to do something about what robs everyone in the world of time and money. Kudos to Brian Krebs for actually covering it with sense. Why is Brian's column a just a blog and not a WP technology article?

Posted by: rv12 | June 6, 2009 12:18 PM | Report abuse

Brian,

Off the cuff I guess you could say this is incremental progress but it is also yet ANOTHER step backwards. Once again these guys have learned that they need to be off shore and more resilient and decentralized. This only succeeded in pushing them to other places and not resolving the issue at hand. After the McColo, Aprivo, and other bad ISP take downs, which in my opinion where lost enforcement opportunties.. why if this provider was known for months on end by federal authorities was the result not an administrative action (injunction, depeering) but a major bust by the FBI, Secret Service, and state, local law enforcement resulting in arrests of any human body in the San Jose location, televised FBI agents walking out every digital asset from that location for forensic analysis, simultaneous arrests in Belize, London, India as a result of a complete rollup of the organization. They have other hosting facilities and locations. Oregan can pull their LLC registration, Belize can arrest their operators. Why has the result of this simply been a shoo shoo, go away instead of a complete, massive, and hard hitting rollup of the operators and their masters. PUBLICLY name, track, locate and apprehend these guys. Hound them like paparatzzi no matter what country they live in. Post every single piece of personal information about these people, their family, their history, their associates, their finances, their friends, their addresses, where they live, who they have worked for. OUT these guys with a massive SPOTlight and focus the full force of the Internet community on them. Once the information is out It can never be taken back and the heat on them will make them toxic to everyone that crosses their paths.

For GODS sake lets actually do something instead of the half ass measures that have been happening to mixed affect.

My conclusion is this. as a result of this and other takedowns.

NO arrests, no indictments, no public namings, no international cooperations - result operations move to other areas, learn a valuable lesson and continue elsewhere targeting US citizens.

Operation Failure yet again. Hopefully authorities will learn something and do it differently next time.

You can start by naming the next 10 bad host ISPs on the list, bringing them to light and run intel and takedown real enforcement operations on them.

For more ideas on how to go about this stuff read more at www.conanthedestroyer.net

Diocyde

-care to respond or lend your opinion to the issues I raise?

Like I said earlier, lets up the debate. We can start with a continuation of Joe Stewarts ideas of dedicated special forces strike teams on some of these organized crime syndicates.

Posted by: diocyde | June 8, 2009 12:07 PM | Report abuse

Krebs, you article is hmmmm... a fiction. I live in USA. I speak Russian. I'm in online business. It doesn't look like you are capable to even consider another side opinion. So I'll not waste my time for details. I just give you a couple of samples. Let's talk about "online spam forum located at the website crutop.nu" and "discussing spam section of crutop.nu" The "expert" has seen word "spam" on the site. But he didn't get the context :) Everyone can go to crutop.nu/Vbulletin/ and read "Financial Spam" (means the forum is designated for financial services ads) etc. "spam" just a funny name for advertizing. Actually any discussions about email spam are strictly forbidden on crutop. Or let's translate entire post of Rett - about rape and incest. Can you do it? You'll figure out that the guy was asking about legal content - fantasy rape. Krebs, frankly speaking - you have no idea what you are writing about. You don’t even realize that FTC guys just create a lot of real criminals when they act so… sporadically.
michandr (at) mail.ru (yeah, yeah. That's a Russian email. Guess what? I have an office in PA.)

Posted by: michandr | June 9, 2009 1:00 AM | Report abuse

Hello, i am from small country Moldova, I have site www.rent.md, i was waiting for summer because summer the season when i can make money on my site.
And now i have big problems with apartment's owners, we are loosing money each day!
Why i choose 3FN? Because their prices not low(it's meen that service must be ok) and i read a lot of good reviews about this hosting.

So Mr. Krebs? Do you still sure that you doing right?

P.S. Sorry for english.
Best regards,
Sergei

Posted by: Serghei | June 10, 2009 12:25 PM | Report abuse

Serghei -- See the update I posted to this story yesterday. It includes new information, including the fact that it is likely that a judge will soon require the appointment of a person to weed out legitimate sites from not-so-legit sites at 3FN.

http://voices.washingtonpost.com/securityfix/2009/06/the_fallout_from_the_3fn_taked.html

No idea whether that will be soon enough for you and your business, but I will continue to follow this story. Thanks for reading.

Posted by: BTKrebs | June 10, 2009 1:27 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company