FTCThe United States District Court of Maryland ruled in favor of the Federal Trade Commission on Sept. 24, imposing a judgment of more than $163 million against the managers and directors of an enterprise whose sole function the FTC alleges was to defraud its customers with scareware.

Kristi Ross was the last card to fall in the case, but in the end, the court determined that she was in a ‘control position’ at Innovatve Marketing Inc., and thus was jointly liable with her co-defendants, Sam Jain, Daniel Sundin, Marc D’Souza, Maurice D’Souza, and James Reno.

In addition to the $163 million in profits that Ross, Jain, and Sundin must repay to their victims, Ross is permanently restrained from the sale of any software that interferes with consumers’ computers in addition to being banned from engaging in any form of deceptive marketing. Reno and the D’Souzas settled with the FTC in 2010 and are not responsible for the $163 million repayment.

Innovative Marketing Inc. perpetrated the scam, which claimed more than a million victims according to the FTC. They convinced advertising networks and popular websites to host advertisements that they claimed to be placing on behalf of legitimate organizations. In fact, the advertisements redirected users to sites under Innovative Marketing’s control. The sites hosted phony anti-virus scanners that claimed to find any number of security and privacy issues including viruses, spyware, system errors, and pornography on the computers of users that visited the sites. The scam made money, as most scareware and ransomware campaigns do, by then offering to sell victims products that would remove the non-existent problems from their machines.

The Maryland District Court forced Innovative Marketing and the related company ByteHosting to halt operations in late 2008 after the FTC made the court aware of the scareware scheme that was peddling fake computer security products such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus. According to the court’s most recent opinion on the matter, most of these fake products, which were sold for $39.95 or more, were classified as threats by every major computer security vendor.

Following court decisions in 2008 and 2010, Ross remained the only defendant left who hadn’t settled with the FTC. She claimed that she was merely an employee of Innovative Marketing, and that she was never a ‘control person’ there, had no requisite knowledge of any misconduct, and bore no liability. The FTC thought otherwise, and was able to prove in court on Sept. 11 and 12 of this year that Ross not only had knowledge of the scam but also the authority to control deceptive practices, or, at the very least, displayed a reckless indifference or intentionally avoided the truth regarding the scam.

The FTC made its case by citing a number of internal communication logs from the company that clearly showed Ross controlling the content and appearance of the deceptive ads as well as reprimanding and disciplining departments when their work did not comply with her standards. Beyond this, there was a case in Canada in which Jain and Sundin sued D’Souza for allegedly embezzling some $48 million from them. Ross wasn’t named in the case, but she submitted an affidavit that accused D’Souza of extorting herself, Jain, and Sundin by offering them their rightful shares of Innovative Marketing’s profits in order to make a deal with him. Ross’s counsel attempted to argue that her knowledge of and involvement in the Canadian case stemmed from a romantic relationship with D’Souza, in which he confided in Ross that he intended on running off with the money. Ultimately, the court decided there was no evidence to back up that claim.

You can find the FTC press release here.

Categories: Malware, Social Engineering, Web Security