FTC Shuts Down ISP Hosting Child Pornography, Other Malicious Content

Ariana Rodriguez
BALTIMORE — Internet service provider PriceWert recruited, hosted and distributed more than 15,000 spam, child pornography and phishing sites, according to the Federal Trade Commission, which successfully argued to a federal judge that its services should be down.

The FTC alleges that even though Pricewert officially registered in Oregon, its principles and staff are located in the Ukraine and Estonia.

According to the FTC, the defendant, Pricewert LLC, which operates under a variety of names including 3FN and APS Telecom, actively recruited and conspired with criminals that distribute illegal, malicious and harmful electronic content.

After a 4-0 vote, the Commission authorized the complaint, which was filed at U.S. District Court in San Jose. The court issued a temporary restraining order to prohibit Pricewert’s operation and ordered its upstream Internet providers and data centers to cease providing service to it.

The FTC charged that the defendants’ actions caused substantial consumer injury and was an unfair practice, in violation of federal law.

The illicit content circulated includes child pornography, spyware, viruses, Trojan horses, phishing, botnet command and control servers, and pornography featuring violence, bestiality and incest.

According to the FTC, 3FN has a five-year record of serving up child porn. Investigators gathered 700 reports of child porn hosted by the network from the National Center for Missing and Exploited Children dating back to 2004.

In one chat transcript intercepted by investigators, a writer who identified himself as 3FN's "senior project manager" was asked by a potential customer if the firm could host "rape and incest sites on 3FN." The response: "Yes of course."

The FTC said that the defendant advertised its services “in the darkest corners of the Internet,” which included a forum established specifically for communication between online criminals.

Washington Post’s Security Fix blog captured an image of an ad for 3FN’s services found on Verified.ru, a Russian forum dedicated to identity theft and the sale of stolen identities.

Besides rampant child porn distribution, the FTC alleges 3FN and its users engaged in click fraud — a method that uses hijacked PC to defraud pay-for-click advertisers. A chat log intercepted by investigators, a 3FN representatives explains to a customer that it takes about 20,000 computers to earn $500 a day when engaging in click fraud.

Pricewert is accused of hiding its criminal operation by shifting to different Internet protocol addresses to avoid detection and simply ignoring take-down requests, according to the complaint.

Pricewert also allegedly used Botnets, which are large networks of computers that have been compromised by the originator, known as a bot herder, which can be used to send spam.

According to the FTC, the defendant recruited bot herders and hosted the command-and-control servers, which relay commands from bot herders to the compromised computers. In transcripts of instant-message logs filed with the district court, the defendants’ senior employees discuss the configuration of botnets with bot herders.

Among the most popular sites on 3FN’s hosting servers was Botmaster.net, a popular service and service product used to blast out massive amounts of blog comment spam.

Filings with the district court by the FTC allege that 3FN- hosted command-and-control servers control more than 4,500 malicious software programs. The malware includes programs capable of keystroke logging, password stealing, and data stealing, programs with hidden backdoor remote control activity, and programs involved in spam distribution.

The complaint notes the most recent crime by 3FN occurred in April when a NASA computer was attacked in what appeared to be a random effort to hijack computers to build a botnet.

The case was brought with assistance from NASA’s Office of Inspector General, Computer Crime Division; Gary Warner, director of research in computer forensics, University of Alabama at Birmingham; The National Center for Missing and Exploited Children; The Shadowserver Foundation; Symantec Corporation; and The Spamhaus Project.

Following 3FN’s blackout, Russian blogs responded with an issued statement from 3FN operators tell customers that they will be back online in another location within hours or days.

Reports state that a number of 3FN domain name servers already have popped up at new locations online.

Among the sites hosted by 3FN were some legit sites, including Free Software Magazine, an online publication in which a column today appeared addressing the blackout.

“3FN could be guilty or innocent,” columnist Tony Mobily writes. “Or maybe a mixture of the two. In any case, they were executed without a court case, without a jury, without a way to defend themselves. This is the part that disturbs me.

“Many innocent sites were caught in the crossfire. Free Software Magazine and FSDaily were two of them.”

While the FTC investigation is ongoing, 3FN representatives have the option to appear in federal court for a preliminary injunction hearing is set for June 15 to try to persuade a lift on the restraining order.