1 1 FEDERAL TRADE COMMISSION 2 I N D E X 3 4 PAGE: 5 6 Introduction by Ms. Chriss 3 7 8 Remarks of Chairman Majoras 4 9 10 Defining the Problem 14 11 12 Evolving Methods for Sending Spam 13 and Malware 79 14 15 Uncovering the Malware Economy 150 16 17 Emerging Threats 211 18 19 20 21 22 23 24 25 For The Record, Inc. (301) 870-8025 - www.ftrinc.net - (800) 921-5555 2 1 2 3 4 5 6 FTC SPAM SUMMIT: 7 8 THE NEXT GENERATION OF THREATS AND SOLUTIONS 9 10 11 12 FEDERAL TRADE COMMISSION 13 601 NEW JERSEY AVENUE, N.W. 14 WASHINGTON, D.C. 15 16 17 18 DAY 1 19 WEDNESDAY, JULY 11, 2007 20 21 22 23 24 25 For The Record, Inc. (301) 870-8025 - www.ftrinc.net - (800) 921-5555 3 1 P R O C E E D I N G S 2 - - - - - 3 WELCOME 4 MS. CHRISS: Good morning, everyone. Hi there. 5 Please take your seats, we are about to begin. This is 6 it. Spam Summit, the Next Generation of Threats and 7 Solutions. I am so pleased and delighted to see all of 8 you here. This is wonderful. I see that we are going 9 to have some very good debate, just by the faces in the 10 audience. I recognize a lot of you from our past 11 events. So, thank you for being here. 12 Before we get started, I do have a few 13 housekeeping announcements. So, let's just get through 14 them. If you have a cell phone, or any other noise 15 maker, just turn it off. Just turn it off now. It is a 16 good time to turn it off. Otherwise, there's a risk, 17 you could receive spam from us if you don't, so turn it 18 off. Turn it off. 19 The other thing is, we are a Federal Government 20 agency and we do practice certain safety measures. If 21 there is an emergency, and that is very unlikely, you 22 have two exits, the way you came in, and then out 23 through the hallway and straight back. We also practice 24 something called shelter in place. If that happens, you 25 will go into the hallway and wait for further For The Record, Inc. (301) 870-8025 - www.ftrinc.net - (800) 921-5555 4 1 instructions. 2 This is the meat of the matter: You, the 3 audience, are so integral to this, so I want to tell you 4 the three ways you have to participate. We will have a 5 roaming microphone at the end of each panel, so wait for 6 the mic, state your name and your affiliation and go for 7 it. The other way, if you're out there in webcast land, 8 you can email us at [email protected], and you can also 9 use your question note cards if you are in the room and 10 they will be provided to the moderators. So, we want to 11 hear from you. 12 Now, without further delay, I would like to 13 introduce our chairman. She is a leader in this 14 technology arena, and she has been so incredibly 15 supportive of all of our consumer protection efforts in 16 this area, and I'm so pleased to introduce, without 17 further ado, Chairman Deborah Platt Majoras. 18 (Applause.) 19 OPENING REMARKS BY CHAIRMAN MAJORAS 20 CHAIRMAN MAJORAS: Well, thank you. Wow, we 21 don't usually have a stage. Thank you so very much, 22 Sana, and thanks to you and your team for all the great 23 work putting this together. Welcome to everyone here. 24 I'm particularly grateful to all of our very 25 distinguished panelists for joining us for the next two For The Record, Inc. (301) 870-8025 - www.ftrinc.net - (800) 921-5555 5 1 days. 2 In 1971, C. P. Snow, noted British author and 3 commentator on science and technology issues, said of 4 technology, "It brings you great gifts with one hand, 5 and it stabs you in the back with the other." Although 6 spam was known only as lunch meat, mystery meat, I don't 7 know, back in 1971 when he said this, his quote is 8 really spot-on with respect to email and spam. 9 Email technology has brought us great gifts in 10 the form of quick, efficient, ubiquitous communication, 11 but it's also brought us spam, which has the potential 12 to metaphorically stab us in the back by inundating 13 consumers' inboxes with unwanted email, facilitating 14 fraud and malware and frankly betraying consumers' trust 15 and confidence in the Internet and the electronic world. 16 In 2003, the FTC convened a spam forum to 17 discuss the technical, legal and financial issues 18 associated with spam. Now, today and tomorrow, in a 19 continuing effort to stay apprised of developments, we 20 want to explore the next generation of spam threats and 21 solutions. 22 The volume of unsolicited emails being reported 23 by email filtering companies is rising, creating 24 significant costs for businesses and consumers alike. 25 Botnets, the networks of hijacked personal computers For The Record, Inc. (301) 870-8025 - www.ftrinc.net - (800) 921-5555 6 1 that spammers are using to conceal their identities, has 2 become the preferred method for sending spam. Even more 3 troubling, spam reaching consumers' inboxes is more 4 often being used to launch phishing attacks and to 5 deliver malicious code or malware to consumers' 6 computers. 7 This new generation of malicious spam goes 8 beyond mere annoyance. It can result in significant 9 harm to consumers and undermine the stability of the 10 Internet and of email in particular. 11 If you click on a link in an email message, you 12 may be lured to a website that will either trick you 13 into you divulging your personally identifying 14 information, or infect your computer with spyware or 15 other types of malware. Even merely opening a malicious 16 email can subject you to harm. The surreptitious 17 development of such malware can result in slow computer 18 performance at a minimum. Installation of key logger 19 software that can record and then report on your every 20 key stroke. The spread of computer viruses, and the 21 hijacking of your computer for use as a botnet. 22 In addition, new threats to communication media 23 other than email are knocking on the door. Spam's 24 cousins, spim, which is spam over instant messaging, 25 spit, spam over Internet telephony -- spam to mobile For The Record, Inc. (301) 870-8025 - www.ftrinc.net - (800) 921-5555 7 1 devices threaten to undermine the benefits of mogul 2 services and Internet telephony in the same way as spam. 3 Social networking websites have become yet 4 another frontier for spam messages. The lessons we've 5 learned and continue to learn from spam, thus, are going 6 to be valuable as we address, or even better, try to 7 avoid similar problems in these other communications 8 technologies. 9 Now, we have to work to combat malicious spam in 10 several ways, and the first is through law enforcement. 11 We cannot permit the electronic frontier to become a 12 lawless world. The FTC has engaged in aggressive law 13 enforcement to combat spam, and since 1997, we have 14 aggressively pursued deceptive and unfair practices 15 perpetrated through spam in 89 law enforcement actions 16 against 142 individuals and 99 companies, with 26 of the 17 cases filed after Congress enacted the CAN-SPAM Act in 18 late 2003. 19 For example, in one recent case, FTC versus 20 Dugger, the FTC sought to stop the underlying use of 21 botnets to send spam. We allege that the defendants 22 relayed sexually explicit commercial emails through 23 other people's home computers without their knowledge or 24 consent, in violation of the CAN-SPAM Act, and under the 25 final order obtained in the case, these defendants are For The Record, Inc. (301) 870-8025 - www.ftrinc.net - (800) 921-5555 8 1 banned from continuing to violate the Act and they are 2 to turn over all of their ill-gotten gains. 3 Of course, malicious spam can also be used as a 4 means to disseminate spyware or other malware that 5 causes the same problems and the FTC has been actively 6 pursuing spyware companies using our authority under 7 Section 5 of the FTC Act, and we have brought about a 8 dozen law enforcement actions in the past two years. 9 In most instances, though, the acts of malicious 10 spammers are criminal. Criminal law enforcement 11 agencies are best suited to expertly shut down those 12 operations. So, for example, in June, the FBI and the 13 Department of Justice announced a crackdown on botnets 14 and those who control them. As part of this operation, 15 the FBI and DOJ identified more than one million 16 personal computers infected with malware that attack 17 them to be hijacked and used as a part an army of bots 18 to allow other computers to send malware and send spam. 19 Today the crackdown has noted three arrests: 20 Robert Soloway who allegedly sold spam kits and botnets 21 for spamming; James Brewer who allegedly compromised 22 more than 10,000 PCs around the world; and Jason Downey, 23 who allegedly ran a botnet used to conduct distributed 24 denial of service, DDoS attacks.