Security

The Internet might just have gotten a little safer.

The Federal Trade Commission announced Thursday that it had Pricewert shut down by the U.S. District Court for the Northern District of California, San Jose Division.

Pricewert is a San Jose, Calif.-based Internet service provider that allegedly recruits, intentionally and actively participates in the distribution of spam, child pornography, and other harmful electronic content.

Generally, the commission files a complaint when it has "reason to believe" that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest.

The court issued a temporary restraining order to prohibit Pricewert's illegal activities and required its upstream Internet providers and data centers to cease providing services. Pricewert is now completely off the Internet. The order also freezes Pricewert's assets.

According to the FTC's complaint, Pricewert, which does business under a variety of names including 3FN and APS Telecom, recruits and colludes with criminals seeking to distribute illegal, malicious, and harmful electronic content over the Internet. The content reportedly includes child pornography, spyware, viruses, Trojan horses, phishing, botnet command and control servers, and pornography featuring violence, bestiality, and incest.

Pricewert allegedly advertised its services via a forum established to facilitate communication between criminals. In addition, the company shielded its criminal clientele by either ignoring take-down requests issued by the online security community, or shifting its criminal elements to other Internet protocol addresses it controlled to evade detection, according to the FTC.

The FTC also alleges that Pricewert engaged in the deployment and operation of botnets--large networks of computers that have been compromised. Transcripts of instant-message logs filed with the district court show Pricewert's senior employees discussing the configuration of botnets with "bot herders."

In its filings with the district court, the FTC estimates that more than 4,500 malicious software programs are controlled by command-and-control servers hosted by 3FN. This malware includes programs capable of keystroke logging, password and data stealing, programs with hidden backdoor remote control activity, and programs involved in spam distribution.

This case was brought to light with the assistance of multiple agencies and people including NASA's Office of Inspector General; the Department of Justice's Computer Crime Division; Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham; the National Center for Missing and Exploited Children; the Shadowserver Foundation; the Spamhaus Project; and Symantec.

Talking to CNET News, Vincent Weafer, vice president of Symantec Security Response, said that this crackdown, more than anything, sent a message to the bad guys that now corporations and law enforcement are more willing to work together to fight illegal online activities.

In regard to how much safer this would make the Internet, Vincent said it would take time to find out but it likely won't change much in terms of how many spams you'll receive a day, as there are many other companies like Pricewert around the world. Symantec has been working closely with law enforcement by providing intelligence via its 240,000 Internet activity sensors located in 200 countries around the world.

The court will hold a preliminary injunction hearing on June 15.

You might have heard about online "phishing" scams designed to steal money from unsuspecting Web users, but now criminals are using another type of scam called "vishing" to commit the same crimes.

Last week, the Federal Trade Commission filed lawsuits against two telemarketing firms in Florida and a company claiming to sell extended automobile warranties for violating the Do Not Call registry and fraud for selling bogus warranties for between $2,000 and $3,000 a pop. Since 2007, the companies supposedly made 1 billion calls and generated more than $10 billion.

These companies likely used spoofed caller ID numbers to hide their identities from consumers and law enforcement authorities.

The case is the latest example in what is known as vishing attacks, which use the phone network to swindle people out of money. To help readers understand what these scams are, how they work and how they can protect themselves. CNET News has put together this FAQ.

What is vishing? The term "vishing" is a socially engineered technique for stealing information or money from consumers using the telephone network. The term comes from combining "voice" with "phishing," which are online scams that get people to give up personal information.

How does it work? Typically attackers use a technique called caller ID spoofing to make it look like calls are coming from a legitimate or known phone number. It's a very similar technique to email spoofing, which makes e-mail addresses look like they are coming from a trusted source. But because people typically trust the phone service and caller ID, spoofing phone numbers can be particularly damaging.

And just like with online phishing attacks, which direct consumers to phony Web sites, vishing attacks usually have a recorded message that tells users to call a toll-free number. The caller is then typically asked to punch in a credit card number or other personal information. In the case of the warranty scams, users are asked to buy a bogus extended warranty for their car, which can cost anywhere between $2,000 and $3,000.

How easy is it to spoof a phone number? With voice over IP phone technology, caller ID spoofing is very easy to do. The traditional phone network works by connecting one circuit to another. Each circuit on either end of the call is assigned a phone number by the phone company. So changing the phone number of a caller was more difficult. Of course, there were people who had figured out ways to hack into the old phone network to do this, but it wasn't as easy as it is today with voice over IP technology. With VoIP services, there is no circuit. These services use the Internet, which assigns different devices on the network IP addresses instead of actual phone numbers. Phone numbers are actually assigned by the users themselves.

There are several companies offering commercial spoofing services, such as SpoofCard. And even VoIP services, such as Skype, allow people to pick an area code and even the prefix number they want when they set up a new phone number. These numbers can be used to disguise where calls originate. Of course, Skype is built for individual use, but other services like Flowroute provide VoIP services for businesses using PBXs. A PBX, or private branch exchange system, makes connections among the internal telephones of a private organization, such as a business, and it also connects them to the public switched telephone network (PSTN). These services allow companies to pick any phone number for caller ID they want. And some telemarketers use the service to spoof telephone numbers.

The practice of caller ID spoofing is so widespread and common that one of the telemarketers accused in the FTC lawsuit supposedly bragged to a prospective client that he could call the entire United States in just a few hours and would not get caught calling people on the Do Not Call List.

Is caller ID spoofing illegal? No it's not. But there is proposed legislation that could make manipulating a phone number to look like it's coming from someone else illegal.

Are there legitimate uses for caller ID spoofing? Yes, there are some legitimate uses for spoofing. Voice over IP providers by definition must use spoofing, or some kind of number manipulation, to create phone numbers. But there are other legitimate uses. For example, doctors who might want to call back patients from their home may use spoofing to conceal their their home numbers. Some online dating services use spoofing to let people talk to potential matches without revealing their real phone numbers. And some lawyers involved in domestic violence cases may use caller ID spoofing to protect the whereabouts of abused clients.

Even though there are some legitimate uses for caller ID spoofing, Lance James, co-founder of Secure Science, which specializes in fraud protection, says 75 percent of all caller ID spoofing is likely for illegitimate purposes. Still, he believes that any new laws written that make caller ID spoofing illegal, should distinguish between people using spoofing for legitimate purposes and those looking to harm or scam people out of money.

Who typically uses caller ID spoofing and vishing scams? Most of the vishing attacks have been from nefarious individuals or crime rings who are stealing credit card numbers or other personal information in identity theft. But telemarketers are also using the technique to get people to buy bogus products. Because the costs are so low for to spoof caller ID numbers using a voice over IP service, it means that companies using the technique only have to get a few people to buy a phony product or hand over personal or financial information to make the efforts profitable.

How do the scams usually work? Scammers often use either a war dialer, which is software that identifies numbers that can be used to make calls, to call phone numbers in a given region, or they access a legitimate voice messaging company with a list of phone numbers stolen from a financial institution. Usually they set up an automated recording to call individuals telling them that their credit cards have been flagged for fraudulent activity. Then they either ask people to provide credit card numbers, PIN codes, and/or Social Security numbers to verify their account or they provide another number where the consumer is to call to provide account details.

Some sophisticated attacks combine vishing and phishing. These scams typically start with a phishing e-mail that says there has been a problem with an online account from a known Web site, such as a bank, credit card company, or online retailer, and it directs users to call a number and enter information to verify their account.

Is it hard for authorities to catch vishers? Yes and no. Because all calls originate and terminate somewhere, there are billing records that law enforcement officials can use to trace calls to their sources. But this often takes several subpoenas to get access to the right information, which takes time and costs money.

Are there any technologies that can be used to identify vishing attacks? The biggest vulnerabilities in the communications network occur where older technologies meet new technologies, according to Secure Science's James. As a result, he believes that a coordinated effort by traditional phone companies and newer VoIP companies can help stop many attacks. Essentially, traditional phone companies and VoIP providers can verify and authenticate calls to ensure people making calls are who they say they are. This practice should cut down on much of the illegal activity that is done by spoofing caller ID numbers, James said.

Carriers could also add clauses to their terms of use that would prohibit customers from using spoofed IDs to commit fraudulent acts. And if these users are caught doing something illegal, they could have their service terminated.

Some companies are offering blacklist software that blocks certain caller ID phone numbers. Of course, blacklisting can be tricky since scammers and telemarketers can numbers can change the pool of numbers they use to conceal their identities. For example, Google will offer a feature in its Google Voice product that will allow phone calls to be filtered like email so that users can block calls or send some calls from certain phone numbers to a "spam" folder.

And finally caller ID spoof providers like SpoofCard, which handles the large majority of spoofed numbers on the market, can work with service providers and law enforcement to flag suspicious spoofers.

What can consumers do to protect themselves? Here is some advice from security experts:

• Be aware. Consumers need to know that these scams exist. To find out more information, go to the FTC Website.

• Be suspicious of all unknown callers. People should be just as suspicious of phone calls as they are of e-mails asking for personal information. And some experts suggest letting all calls from unknown callers go to voicemail.

• Don't trust caller ID. Just because your caller ID displays a phone number or name of a legitimate company you might recognize, it doesn't guarantee the call is really coming from that number or company. As explained earlier, caller ID spoofing is easy.

• Ask questions. If someone is trying to sell you something or asking for your personal or financial information, ask them to identify who they work for, and then check them out to see if they are legitimate.

• Call them back. Again if someone is selling you something or asking for information, tell them you will call them back and then either verify the company is legitimate, or if it's a bank or credit card company, call them back using a number from your bill or your card. Never provide credit card information or other private information to anyone who calls you.

• Register your number with the National Do Not Call registry at donotcall.gov. Even though criminals and unscrupulous telemarketers may ignore the list, if you are on the list and get a call from a supposed telemarketer, that could be a tip that the offer is bogus. Most legitimate telemarketers obey the rules and laws about contacting consumers. Also, the Website provides a place where complaints can be filed.

• Report incidents. Report vishing calls to www.ftc.gov or call (888) 382-1222. The FTC wants the number and name that appeared on the caller ID as well as the time of day and the information talked about or heard in a recorded message. If you think you've been a victim of a vishing attack you can also contact, the Internet Crime Complaint Center.

WASHINGTON--President Obama's economic stimulus plan has already spurred activity in at least one online industry, though not one the administration was hoping to encourage.

Deceptive Web sites, advertisements, and e-mail campaigns have cropped up across the Web in recent weeks, luring consumers into scams by promising them federal grant money from the stimulus package, the Federal Trade Commission said Wednesday.

The FTC is investigating these scams and is reaching out to the private sector for help. Google on Wednesday morning committed to investigating stimulus-related ads that violate its anti-scam policy, and Facebook has pulled ads for stimulus funds from its site, in accordance with a new advertising policy it implemented this week.

The deceptive sites and ads "have literally mushroomed up almost overnight," Eileen Harrington, the acting director of the FTC's Bureau of Consumer Protection, said Wednesday.

Scammers have created sites with domains like PresidentObamaGrants.com and OfficialStimulusGrants.com, Harrington said, and include pictures of President Obama and Vice President Biden. The sites prompt consumers to enter a credit card number to pay a small fee in return for a list of grants supposedly available for things like mortgage payments. Those small fees, however, are often nothing more than a down payment on a "negative option" agreement that could cost someone thousands of dollars over the course of a year if not canceled.

"These Web sites tout free money for you," Harrington said. "But as the saying goes, the devil is in the details. Buried deep within the Web site is the fact that they'll charge you a lot of money."

Advertisements for these sites have started on appearing on social-networking sites, video-streaming sites, and search engines. While Google and Facebook have been cooperative, Harrington said not all sites have been responsive to the FTC's request for help, though she declined to name any such sites. She also said the FTC has been in communication with network advertising groups about the problem, though she once again declined to name which ones.

"We've spent a lot of time educating advertisers how to screen for ads and this one should be a no-brainer for them," she said.

Facebook started noticing the suspect stimulus-related ads on its site about four to five weeks ago, before the FTC contacted the company, said Joe Sullivan, senior counsel for Facebook. Through Facebook's own ad screening and the "thumbs down" function that lets users give feedback on ads, it was able to identify the problem. Facebook launched a new policy this week to prohibit ads on its site with any obscure recurring billing schemes.

Spammers are also targeting consumers through e-mails that encourage consumers to click on a link within the message or to fill out attached forms to find out more about receiving stimulus funds. Clicking on the links or the attachments, however, can result in identity theft or in harmful software being downloaded to one's computer.

The FTC will not discuss ongoing investigations publicly, but Harrington said the deceptive negative-option marketing campaigns found on many of the fraudulent stimulus sites fit the profile of scams the FTC has already challenged in many law enforcement actions.

"The FTC has broad authority to challenge deceptive and unfair practices," she said.

Either through court proceedings or administrative challenges, the agency could take actions that could result in any number of consequences, such as prohibiting the use of certain ads or requesting that money be returned to consumers.

Update at 9:30 a.m. PST: A new chart has been added to the end of the article.

This was originally published in ZDNet's Between the Lines.

Identity theft cases surged in 2008, according to the Federal Trade Commission.

Last year, ID theft was by far the biggest complaint to the FTC, representing 26 percent of total problems reported. The next biggest one--third-party and creditor debt collection scams--represented only 9 percent of complaints.

The FTC's annual Consumer Sentinel Network report (PDF), released Thursday, details that ID theft complaints totaled nearly 314,000 in 2008, up from about 259,000 in 2007 and up substantially from about 31,000 in 2000.

The Consumer Sentinel Network is a secure online database that harvests complaints from law enforcement authorities, as well as other groups such as the Internet Crime Complaint Center and Better Business Bureau.

Here are the top 10 complaint categories, which often dovetail with the Internet.

E-mail is clearly the preferred means of propagating fraud. Scam artists are most likely going to nail you via e-mail. Phone scams have fallen from 11 percent to 7 percent from 2007 to 2008. My hunch: as more consumers use wireless as their primary phone, it's harder to track down victims.

What's also notable: the demographics. Twenty-somethings are most likely to get hit with ID theft.

Did your brother-in-law really send you a singing holiday card? Did a long-lost friend from college really include you on this year's list?

One inexpensive way to send holiday cheer may be to send e-cards, but security vendor AVG warned on Tuesday that online criminals are taking advantage of the fact most people don't know the difference between a legitimate e-card and one hosting malware.

Last week security vendors warned of a Trojan horse masquerading as holiday-themed e-cards from McDonald's, Coca-Cola, and Hallmark.

To better educate the public, AVG has launched a site, "Slam the Holiday Scam,", co-sponsored with CyberStreetSmart.org and i-Safeworking, and is working to team with various online safety organizations such as the National Crime Prevention Council, the FTC's Bureau of Consumer Protection, CyberStreetSmart.org, i-Safe, the National Cyber Security Alliance, and Consumers Union, and Protection from Brand Infection.

The tips, which should be familiar to most online users, include:

• Don't open attachments because most legitimate e-cards include links to the company's Web site that allow you to go directly to your card.
  
• If something looks a little strange or "phishy" just delete the card.
  
• Use security software on your desktop.
  
• Watch out for misspelled words or names, a disguised name (such as Your Friend, A Secret Admirer), or an odd URL.
  
• Always read the fine print before accepting any terms.
  

Also on the site is a free 90-day trial of AVG Internet Security, which includes antivirus, antispyware, and antirootkit protection plus a personal firewall and Linkscanner protection against malicious Web sites.