June 5, 2009 at 11:00 AM ET
It was allegedly the darkest of the Internet's dark corners. On the Internet provider's servers, authorities say, were Web sites with names like young-girl-sex.net, little-incest.com, and littles-raped.com. It allegedly helped criminals serve up spyware, spam, Trojan horse programs and mount phishing attacks, and also helped them sell illegal drugs and pirated music. But now, federal authorities say, the ISP at the core of a "witches brew" of illegal activity has been shut down.
The FTC's complaint offers a rare glimpse into the seediest parts of the Web.
The Internet provider called itself Triple Fiber Network – or 3FN.net -- and claimed to be based in Oregon while operating servers "in the heart of Silicon Valley." But the Federal Trade Commission alleges that 3FN -- also known as Pricewert LLC and APS Telecom -- was really controlled by criminals in the Ukraine and Estonia, and was the "worst ISP located in the United States in terms of hosting malicious content."
The FTC obtained a temporary restraining order on Wednesday from a federal judge in the Northern District of California that shut down the service and possibly thousands of Web sites. FTC staff attorney Ethan Arenson said it was the first time the agency had ever shut down an ISP.
"There were unique circumstances in this case which called for that," Arenson said.
Among the unique circumstances, according to the FTC: a five-year track record or serving up child porn. While FTC investigators pieced together their case, they asked the National Center for Missing and Exploited Children to look for complaints against Web sites associated with 3FN. The center found 700 reports of child porn hosted by the network, the first of which was lodged in 2004. Among the ugliest: Sites containing the language: "ILLEGAL PHOTOS OF LITTLE GIRLS - just 3 steps," and "VERY LITTLE SCHOOLGIRLS RAPED."
In one chat transcript intercepted by investigators, a writer who identified himself as 3FN's "senior project manager" was asked by a potential customer if the firm could host "Rape and Incest sites on 3FN." The response: "Yes of course." 3FN even brazenly advertised its services on a site named IncestMoney.com.
At one point, a 3FN client managed to hack the Oxford University's Department of Education Web site, the FTC said in its complaint. Visitors were redirected to a 3FN-hosted Web sites hosting child porn.
The FTC complaint mentions a separate, ongoing criminal investigation into the network, but Arenson said he couldn't discuss it. He said only that the FTC operation was completely independent from any other investigation.
In addition to rampant child porn, the network and its users were engaged in a long series of other criminal activities, the FTC alleges. Hundreds of thousands of hijacked computers that were part of "botnets" -- armies of hacked machines used for criminal activities -- were controlled through 3FN. In a chat log intercepted by investigators, one customer brags about having 200,000 computers under his control. A 3FN representative then explains that it takes about 20,000 computers to earn $500 a day when engaging in click fraud -- a method that uses hijacked PCs to defraud pay-for-click advertisers.
The crime ring was so extensive, the FTC said, that it recruited a panel of experts to examine the evidence and testify in support of the restraining order, which Arenson said was necessary because the network was engaged in ongoing crimes. In its complaint, the FTC cites crimes as recent as late May. A NASA computer was hit in April, according to NASA Special Agent Sean Zadig, who assisted the FTC. That was just one of 16 attacks in recent months coming from 3FN networked computers. The NASA attacks appears to be a random effort to hijack computers to build a botnet, and not a specialized attack aimed at critical NASA computers.
Illegal drug, music sales
But other activities were clearly more focused. Gary Warner, direct of research in Computer Forensics at the University of Alabama, testified that the network hosted several sites selling fake antivirus programs that attempted to extort consumers; illegal pharmacy sites like BuyCialisWithoutAPrescription.net, BuyValiumNoRX.com and BuyDrugsOnlineNoPrescriptionNecessary.net. There were also highly developed music piracy Web sites offering stolen music by artists like Kanye West and Britney Spears for 20 cents per song, and $3 per album --- well below market value.
3FN also went to great lengths to protect clients from spam filter tools, according to Steve Linford, who operates a spam-fighting agency called the Spamhaus Project. 3FN officials would respond to spam reports and temporarily remove offending domains, only to restore them later, a tactic Linford called the "push a pawn" strategy. That gave 3FN spammers the ability to evade filtering software better than other spammers.
Andre DiMino, co-founder and director of The Shadowserver Foundation, a cybercrime research organization, told the FTC he found 4,576 unique computer viruses designed to "phone home" to 3FN-network computers. The malicious programs, generally used to build botnets, were able to steal passwords, log user keystrokes and send spam.
Dean Turner, director of the Global Intelligence Network at Symantec Corp., told the FTC that one such program called "InfoStealer.Banker.c" was designed to steal online bank account information.
On Thursday, a Web site named Ecommerce-Journal.com reported that "the world has lost another service which was hosting thousands of Web sites and Internet projects." It called 3FN a Russian Web host and claimed to have received a statement from the site in which its operators said they were having trouble with "state authorities."
"We have the worst experience one can even imagine. We faced the problems with the U.S. law machine that play the game according to its own rules. We have to fight against it and we have some success," the 3FN officials were quoted as saying.
Clients of the site were demanding refunds and blaming 3FN for getting the attention of U.S. authorities, the Ecommerce-Journal reported. "The current situation occurred only because of the ads that lately could frequently be seen on the forums of carders and spammers."
The story, which was seen and copied by an msnbc.com reporter, was removed soon after the FTC announced its investigation, however. Attempts to contact Ecommerce-journal, which says on its site has offices in Boston and Moscow, were unsuccessful.
The FTC investigation is ongoing. 3FN representatives have the option of appearing in federal court on June 14 to try to persuade the court to lift its temporary restraining order.
Meanwhile, the FTC has also acted to freeze 3FN's assets while litigation proceeds.