Investigations of malware dissemination are on the rise, as the Canadian Radio-television and Telecommunications Commission executes its second search warrant in as many months under Canada’s anti-spam legislation.
Yesterday, the CRTC, among three agencies tasked with enforcing CASL, announced that it had raided two Niagara facilities allegedly set up to install malicious software on the computers of unwitting users.
The alleged perpetrators remain unnamed, and violations unspecified, but a similar takedown last month involved what is known as a “command-and-control” centre that uses servers to steal passwords and conduct remote attacks on corporate systems.
"We are working to protect Canadians from online threats by pursuing those individuals and entities who violate Canada's anti-spam legislation,” said Manon Bombardier, the CRTC’s chief compliance and enforcement officer in a statement.
This is the second search warrant ever issued under CASL’s malware provisions, which went into force 12 months ago. In December, CRTC investigators — along with the FBI, Europol, Interpol and the RCMP — conducted a raid on a Toronto server responsible for disseminating a type of malware that has already infected over a million computers in more than 190 countries.
Corporations have also come to the aid of enforcement agencies, with Microsoft playing a key role in the first search warrant, and cyber-protection outfit FireEye tipping off authorities in the most recent investigation.
“We are grateful for the assistance that FireEye Inc. provided, which led to the execution of this warrant, and we will continue to work closely with our domestic and international partners in the fight against cyber threats,” said Bombardier.
The involvement of tech companies like Microsoft and FireEye is something that caught the attention of Steve Szentesi, a competition and advertising lawyer who works with clients to ensure CASL compliance. Szentesi points to a parallel in the advertising space, where the U.S. Federal Trade Commission sponsored a contest where “white hat” hackers were invited to help the agency track down the origin of telemarketing fraudsters.
“I would be very interested to see whether, as in the United States with the FTC, we see the CRTC partnering with folks in the tech sector as an investigative tool.”
Szentesi is also curious to see what the penalties are going to be for intentional violations. To date, the CRTC has delivered a measured response, with negotiated settlements and modest penalties of around $50,000 for inadvertent compliance violations.
For intentional violations, however, Szentesi anticipates penalties in the millions: “A number of the cases that have come so far have been for allegedly failing to comply with the consent and ID-unsubscribe requirements, but now we’re starting to see some cases on the more fraudulent end of the spectrum. . . . I'm curious to see, once some of the malware cases or the botnet cases are resolved, whether we are going to see penalties closer to $10 million. That remains to be seen.”