Case Study

Evaluating software for spyware and fraud

Stroz Friedberg is a specialized risk management firm built to help clients solve the complex challenges prevalent in today’s digital, connected, and regulated business world

After sheepishly telling their wives the same story, a number of men complained to the FTC that their computers had been compromised by certain software and that, as a result, the computers themselves dialed into pay-per-minute pornography web site.  Specifically, the men claimed that while innocently web browsing, they were victims of “drive-by downloads,” whereby a dialing program that was used to initiate pay-for-pornography viewing was downloaded to their computers without any user-initiated action. They claimed that the dialer then automatically dialed into the pay-per-minute pornography sites, resulting in significant charges on their phone bills. The men further claimed that the “uninstall” feature of the dialer failed to work and remove the program from their computers. Relying on these complaints, the FTC sued the Internet payment mechanism company that supplied the software dialer to the adult web sites. The FTC claimed that the alleged self-downloading and self-dialing of the software constituted fraud and computer hacking.

Options for testing such allegations included: testing the software under laboratory conditions to see whether it acts as alleged, and reverse-engineering the software code to determine whether it is programmed to act as alleged. In this case, the first method was more than sufficient. Stroz Friedberg constructed “clean” test machines, loaded with forensically wiped hard drives and minimal installations of Windows. Stroz Friedberg visited the web sites where the dialer could be obtained and determined, using a variety of browsers with a variety of Internet security settings, whether the dialer self-downloaded. By taking snapshots of the hard drives at various points, Stroz Friedberg could determine what content was placed on the drive as the result of specific events. We determined that the dialer was an Active X program which, like many other kinds of commercial Active X components, self-installs when browser security is set to “low.” Thus, although this partially confirmed the self-installing allegations, Stroz Friedberg was able to opine that this was a commercially normal event against which a computer user could protect by increasing the security settings to “medium” or “high.”

We conclusively determined, however, that the dialer did not self-dial. We downloaded the dialer to a half dozen clean test machines running Windows and Mac operating systems and a variety of web browsers. We left all machines connected to the Internet, and none self-dialed, as established by physical observation and after-the-fact analysis of the computers’ connection logs. We made video files of all of these sessions – some as long as 60 hours – to be able to show in court that the dialers did not launch themselves. Using a computer-video program called Camtasia, Stroz Friedberg also computer-videoed web browsing on some of the allegedly offending adult sites, and correlated that browsing with a forensic analysis of connection logs and credit card payment records to show that it was only after the user was warned that charges would be billed to the telephone line for viewing certain content and after that billable content was accessed that the user was, in fact, charged. This contradicted the complainants’ claim. Finally, we forensically tested the uninstall feature and determined that, although certain artifacts of the dialer remained on the computer after the uninstall command was run, the dialer was no longer functional.

Based on all of this analysis which was presented to a federal district judge, the FTC effectively dismissed the action.



Commentary, new discoveries, and innovative ideas right to your inbox.

Stroz Friedberg

Sorry! You are using an older browser which is not supported by this website.

Please download one of these free browsers to enjoy all our website has to offer:
Firefox, Chrome or Internet Explorer.