FBI: Expect more spam prosecutions

U.S. Internet users should expect a growing number of prosecutions for sending spam and related activities, such as creating botnets, officials with two U.S. law enforcement organizations said Thursday.

The U.S. Federal Bureau of Investigation has 70 active investigations into spam-related crimes, said FBI special agent J. Keith Mularski, speaking at the U.S. Federal Trade Commission’s spam summit. The FBI has worked with the National Cyber-Forensics and Training Alliance (NCFTA), a partnership between law enforcement agencies, universities, and private businesses, to identity spammers, he said.

The NCFTA, launched in 2002, has identified more than 100 “significant spammers,” including five tied to traditional organized crime, Mularski said.

Partnerships with industry are important to fight cybercrime, Mularski said. The Internet Crime Complaint Center, a joint operation of the FBI and the National White Collar Crime Center, gets more than 22,000 complaints about cybercrime each month, up from 18,000 complaints a month last year, he said.

“If we don’t address it together, it’s only going to get worse,” he said. “Industry has all the information, because these guys are hitting their networks.”

The U.S. Department of Justice is targeting several spam-related activities, added Mona Sedky Spivack, a trial attorney in the DOJ Criminal Division’s Computer Crime and Intellectual Property Section. In June, the DOJ and FBI launched Operation Bot Roast, targeting criminals who use networks of compromised computers, often called botnets, to send spam and launch distributed denial-of-service attacks.

In addition to targeting “bot herders,” criminals who control botnets, the DOJ will begin targeting “bot brokers,” the people who negotiate the sale of botnet resources, she said. “We’re going to start pegging them with some criminal liability,” she said. “There is a lot of money getting exchanged here.”

Botnets and anonymous proxies are popular with spammers right now because they don’t have to use their own computer resources to send the e-mail messages, Spivack said. This makes it more difficult for law enforcement agencies to track down spammers.

The DOJ and other federal agencies are also targeting stock-scheme spam campaigns, she said. In a typical “pump and dump” stock scheme, spammers buy cheap stocks, then send out huge volumes of spam telling recipients that the stock price is poised to rise. The stock price goes up because of the spam campaign, and the spammers sell their stock at a large profit.

On Tuesday, the U.S. Securities and Exchange Commission filed securities fraud charges against two Texas men for an alleged pump-and-dump scheme. The scheme allegedly cost investors $4.6 million.

Despite news reports of such schemes, they tend to work, Spivack said. “It appeals to unsophisticated investors who are day traders at home,” she said.

The U.S. Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act in 2003, and there’s still debate over whether the law has reduced the amount of spam U.S. Internet users receive. CAN-SPAM allows senders to deliver unsolicited commercial e-mail, but requires that they stop when a recipient asks them to. CAN-SPAM also requires that commercial e-mail have accurate header information, have a legitimate postal address for the sender, and have a working opt-out mechanism.

The law has given some spammers a set of rules they must follow to become legitimate marketers, said Aaron Kornblum, a senior attorney with Microsoft.

But law breakers have become inventive as law enforcement and private companies find new ways to combat spam, he added. Some spammers rotate the URLs in their spam, making it difficult to track, while others don’t include URLs at all, he said. Some used pixelated text to defeat spam filters.

“We need our investigative techniques to evolve,” he said.