FTC Sues, Shuts Down N. Calif. Web Hosting Firm

In an unprecedented move, the Federal Trade Commission has taken legal steps to shut down a Web hosting provider in Northern California that the agency says was directly involved in managing massive global spam operations.

Sometime on Tuesday, more than 15,000 Web sites connected to San Jose, Calif., based Triple Fiber Network (3FN.net) went dark. 3FN's sites were disconnected after a Northern California district court judge approved an FTC request to have the company's upstream Internet providers stop routing traffic for the provider.

In its civil complaint, the FTC names 3FN and its various monikers, including Pricewert LLC -- the business entity named on the 3fn.net Web site registration records. The FTC alleges that Pricewert/3FN operates as a "'rogue' or 'black hat' Internet service provider that recruits, knowingly hosts, and actively participates in the distribution of illegal, malicious, and harmful content," including botnet control servers, child pornography and rogue antivirus products. 3FN also operates by the names APS Telecom and APX Telecom.

In an interview with Security Fix, FTC Chairman Jonathan Leibowitz

said the agency's action targets one of the Web's worst actors.

"Anything bad on the Internet, they were involved in it," Leibowitz said. "We're very proud, because in one fell swoop we've gone after a big facilitator of some of the utterly worst conduct."

The FTC chairman confirmed that this was the first time the agency had sought and been granted an order to shut down an Internet service provider.

Efforts to contact 3FN via phone, instant message and e-mail were unsuccessful. I will update this post in the event I hear back from them.

The FTC alleges that even though Pricewert officially is registered in Oregon, its principals and staff are located outside of the United States.

"Pricewert markets its services to domestic and overseas criminals by placing ads in the darkest corners of the Internet, including forums set up to facilitate communication between criminals," the FTC complaint said. (The image on the right is a screen shot of an ad for 3FN's services I found running on verified.ru, one of the busiest Russian online forums dedicated to identity theft and the sale of stolen identities).

"Pricewert hosts very little legitimate content and vast quantities of illegal, malicious, and harmful content, including child pornography, botnet command and control servers, spyware, viruses, trojans, phishing related sites, illegal online pharmacies, investment and other Web-based scams, and pornography featuring violence, bestiality, and incest," the FTC said.

The FTC also said that not only was 3FN hosting sites promoting illegal activities, but that its owners and operators were directly facilitating and brokering those businesses. The commission references several Internet chat logs in which the head of programming for Pricewert/3FN is observed directly participating in the creation and configuration of a botnet.

"The customer informs Pricewert that he controls 200,000 bots and needs assistance configuring the botnet. The head of Pricewert's Programming Department agrees to assist, but complains upon learning of the size of the botnet that it will require a lot of work," the FTC's complaint alleges.

Botnet experts I have spoken with over the past eight months have found that 3FN housed many of the command and control networks for "Cutwail," one of the world's largest spam botnets. As late as mid-April, Joe Stewart, a botnet expert and director of malware research at SecureWorks, tracked nearly a dozen Cutwail control networks hosted at 3FN.

Indeed, in February, Security Fix began tracking malware samples from Cutwail and its cousin Pushdo that traced back to 3FN, dating back to at least October 2008. These reports were listed at ThreatExpert.com. A copy of that record -- with citations from malware analysis reports is available at this link here (Microsoft Excel document) or in HTML format. The Internet addresses colored yellow in those charts belong to 3FN.

Among the most popular sites on 3FN's hosting servers was botmaster.net, the home of an extremely popular service and software product used to blast out massive amounts of blog comment spam.

Mark Rasch, a former cyber crime prosecutor for the Justice Department and a principal at the Arlington, Va., based Internet Law Group, said the FTC's authority gives it the power to shut down companies that appear to be engaged in unfair and deceptive practices, whereas criminal law enforcement agencies have a much higher standard for proving wrongdoing in order to convince a court to shut down an ISP.

"It could be that other law enforcement organizations are using the FTC as a front in order to obtain evidence for later criminal prosecutions," Rasch said. "What's interesting about that approach is that in order for these guys to get out from under this court order, they're going to have to show that they've taken steps to clean up their act. But if there is a criminal investigation ongoing against 3FN, then anything their operators say in trying to convince a court to lift the order can and will be used against them later."

The FTC's Leibowitz declined to say whether other law enforcement agencies were investigating 3FN, but said his agency was assisted by several organizations, including: cyber investigators at NASA; Spamhaus; The Shadowserver Foundation; the University of Alabama at Birmingham; The National Center for Missing and Exploited Children; and Symantec Corp.,

Interestingly, the Russian blogosphere is beginning to light up about 3FN's closure. This blog post notes that large numbers of 3FN customers were forced to move their sites to other providers. Meanwhile, the 3FN operators are telling customers that they will be back online in another location within hours or days.

Christopher Barton, lead research scientist at McAfee, said a number of 3FN domain name servers already have popped up at new locations online.

"The rats are running," Barton said.

Leibowitz said his agency would continue to pursue other ISPs that "provide a haven for Internet criminals."

"This is a signal that we're going to go after you, and you're not going to be able to hide behind the shroud of the Internet and be immune from enforcement action," Leibowitz said.

A signed copy of the FTC's complaint is available here (PDF).

Update, Jun. 14, 10:57 p.m. ET 3FN released a lengthy statement responding to the FTC's action and allegations. That statement is available here, via PRWeb.